jigsaw | 92880fa12ebc08efe411f63e623fe80225b771f493e80d4cc159f100229c5a5d

Analysis

max time kernel
30s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/03/2025, 23:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cats.exe
Size

126KB
MD5

e0d108435c58dc9403588e4dcab68275
SHA1

7a7331423938020550ff3decd2e8b50b3ee5c87a
SHA256

61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8
SHA512

2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e
SSDEEP

3072:7+gYdgLNp0jPilel4+800N1lknzRxqmhda40U6hrnzRxqmhda40U6hK:6gvunnhdaLlrnnhdaLl

Score

10^/10

jigsaw persistence ransomware spyware stealer

Malware Config

Signatures

Jigsaw Ransomware
Ransomware family first created in 2016. Named based on wallpaper set after infection in the early versions.
ransomware jigsaw
Jigsaw family
jigsaw
Renames multiple (1623) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
2376	Chrome32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe = "C:\\Users\\Admin\\AppData\\Roaming\\Frfx\\firefox.exe"	cats.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\1.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)notConnectedStateIcon.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrl.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.docs.ja_5.5.0.165303.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.metadata.nl_zh_4.4.0.v20140623020002.jar	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\highDpiImageSwap.js	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\sa-jdi.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\gadget.xml	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\blank.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.core.net.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-core-kit.jar	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\PublicFunctions.js	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\settings_right_hover.png	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64.nl_ja_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_mid_disable.gif	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\rtf_decreaseindent.gif	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\gadget.xml	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\settings.js	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_gray_snow.png	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\docked_gray_snow.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text_3.9.1.v20140827-1810.jar	Chrome32.exe
File created	C:\Program Files\7-Zip\Lang\lv.txt.cat	Chrome32.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\SmallLogo.png.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.css.core.nl_ja_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.ui.sdk.scheduler_1.2.0.v20140422-1847.jar.cat	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\Response.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	Chrome32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml.cat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrfrash.dat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web.xml	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\1047x576black.png	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\gadget.xml	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\Gadget_Waitcursor.gif	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\undocked_black_thunderstorm.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.text.nl_zh_4.4.0.v20140623020002.jar.cat	Chrome32.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\dsn.jar.cat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\hwrdeush.dat	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsrom.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jce.jar	Chrome32.exe
File opened for modification	C:\Program Files\InstallWrite.dot	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Full\pushplaysubpicture.png	Chrome32.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\huemainsubpicture2.png	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-host.jar	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml	Chrome32.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\settings.js	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.http.jetty_3.0.200.v20131021-1843.jar	Chrome32.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx.ext_5.5.0.165303.jar	Chrome32.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\button_right_disable.gif.cat	Chrome32.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\gadget.xml	Chrome32.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	Chrome32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2376	2484	cats.exe	30
PID 2484 wrote to memory of 2376	2484	cats.exe	30
PID 2484 wrote to memory of 2376	2484	cats.exe	30

C:\Users\Admin\AppData\Local\Temp\cats.exe
"C:\Users\Admin\AppData\Local\Temp\cats.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe
  "C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe" C:\Users\Admin\AppData\Local\Temp\cats.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\invalid32x32.gif.cat

Filesize
160B

MD5
a8258060e35cd08265a3f658e6aa2963

SHA1
a67c6aeb6db7a488c84810feea22a2d6f7be9bc8

SHA256
e847f277e6adf5f94573c0f1b10ac15efd6ca48f34f9be52e9baec6e1f1de04b

SHA512
70ecf38aa25d92ffff7a24ea35c467c95b9a22dfdc99e0705d56527923cda574add21987ab98ae2b8c589e334141d6957a660a3e34a546c764c3e42069f50d45

Download Submit
C:\Users\Admin\AppData\Local\Google (x86)\Chrome32.exe

Filesize
126KB

MD5
e0d108435c58dc9403588e4dcab68275

SHA1
7a7331423938020550ff3decd2e8b50b3ee5c87a

SHA256
61cd0131cb4bf090c5ee7761566f6f7a778e78b37d220f0506f98632a2663ee8

SHA512
2a5648ced91b75d928b4d71a8580c5bee75a5f27623f8c5071cd23b8cd85eaa8129ddb0aaf0a1fcca05fb1b7868a0fcd9306e9ddf2d3eaaf605c41cc7fde4a9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\DNTException\container.dat.cat

Filesize
16B

MD5
a2ec71f236b0da26c756b086bd502f09

SHA1
e9dc21e143a2aba3ca9eb634ed291ddf93b32e4b

SHA256
b4805a7f3e187212efacd5c2475bc8a30ce7274f8dae65858537a7f08b866717

SHA512
a1d0f50c760c9bc3ab50053633e2fd3bdca6d0de8f256b48b5c45c8bc20a93a7e2123b09c8ce5de3c9ef013d0f2c3de165d68f7748c89d629122ae6d498e9af3

Download Submit
memory/2376-9-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2376-11-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2484-0-0x000007FEF580E000-0x000007FEF580F000-memory.dmp

Filesize
4KB

Download
memory/2484-6-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2484-8-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download
memory/2484-10-0x000007FEF5550000-0x000007FEF5EED000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads