jigsaw | 4bdfa0f7676d04b93a7abd26d1ca02114b7ffeab3b4aa21f003e9e605ce7425d | Triage

Submit
Reports

Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

Static

static

1

HEUR-Troja...cca.7z

windows10-2004-x64

Sharing

General

Target

HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.7z
Size

221KB
Sample

250228-srqbya1q17
MD5

4295ccfda99a2c3185ed6da64e71c692
SHA1

f652680c70da9db20f2ed63e81e3e8f3e8dc9f73
SHA256

4bdfa0f7676d04b93a7abd26d1ca02114b7ffeab3b4aa21f003e9e605ce7425d
SHA512

e1c5c2b8c8e7538c93f98a1a17deeed012e291eb8f92f1ff6c5efbc6cb446c9419b3ad493d1e4c86b9928453a3475fb8b67315fe8e574915a038ebc2d5dfeec8
SSDEEP

6144:dzL0N14NF6r93BAJkqp/PIey3SxOTe6CixjsY5aFkAB:dWUF6hQkqpaeMpCixjswCkY

Score

10^/10

jigsaw discovery persistence ransomware spyware stealer

Static task

static1

Behavioral task

behavioral1

Sample

HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.7z

Resource

win10v2004-20250217-en

jigsaw discovery persistence ransomware spyware stealer

windows10-2004-x64

23 signatures

300 seconds

Malware Config

Targets

- Target
  
  HEUR-Trojan-Ransom.MSIL.Gen.gen-0921add95609d77f0c6195b2bec474b693ec217abb1db496f367c768bfbe7cca.7z
- Size
  
  221KB
- MD5
  
  4295ccfda99a2c3185ed6da64e71c692
- SHA1
  
  f652680c70da9db20f2ed63e81e3e8f3e8dc9f73
- SHA256
  
  4bdfa0f7676d04b93a7abd26d1ca02114b7ffeab3b4aa21f003e9e605ce7425d
- SHA512
  
  e1c5c2b8c8e7538c93f98a1a17deeed012e291eb8f92f1ff6c5efbc6cb446c9419b3ad493d1e4c86b9928453a3475fb8b67315fe8e574915a038ebc2d5dfeec8
- SSDEEP
  
  6144:dzL0N14NF6r93BAJkqp/PIey3SxOTe6CixjsY5aFkAB:dWUF6hQkqpaeMpCixjswCkY
Score

10^/10

jigsaw discovery persistence ransomware spyware stealer
- Jigsaw Ransomware
  Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
  ransomware jigsaw
- Jigsaw family
  jigsaw
- Suspicious use of NtCreateProcessExOtherParentProcess
- Renames multiple (3690) files with added filename extension
  This suggests ransomware activity of encrypting all the files on the system.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Credential Access

Credentials from Password Stores

Credentials from Web Browsers

Unsecured Credentials

Credentials In Files

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

jigsawdiscoverypersistenceransomwarespywarestealer

© 2018-2025

Terms | Privacy