Jigsaw Ransomware analysis

Summary(Jigsaw Ransomware Time table)

Jigsaw.exe - Process create(684)

 [+]Copy File: Jigsaw.exe => C:\Users\Scott\AppData\Roming\Frfx\firefox.exe

 [+]Copy File: Jigsaw.exe => C:\Users\Scott\AppData\Local\Drpbx\drpbx.exe

 [+]Add Registery => HKU\S-1-5-21-3088076523-2200090595-96777359-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe: "C:\Users\kimhy\AppData\Roaming\Frfx\firefox.exe"

+Drpbx.exe - Child Process Create(1584)

[-] Parents Process(684) terminate

[+] Encrypt files.

[+] Create File => C:\Users\kimhy\AppData\Roaming\System32Work\Address.txt

[+] Create File => C:\Users\kimhy\AppData\Roaming\System32Work\EncryptedFileList.txt

[+] Network Access(User Click Button) => 104.16.152.172:80

[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\EnableFileTracing: 0x00000000
[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\EnableConsoleTracing: 0x00000000
[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\FileTracingMask: 0xFFFF0000
[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\ConsoleTracingMask: 0xFFFF0000
[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\MaxFileSize: 0x00100000
[+] Add Registy => HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\FileDirectory: "%windir%\tracing"

 

 

Symptoms of compromise

# 위와같은 메세지와 제한시간과 함께 돈을달라고 요구함.

 

# .fun file을 암호화함.

Analysis tool

1. sysmon

2. regshot

3. procmon

 

 

1. sysmon

 

UtcTime: 2018-02-13 15:44:40.989 ProcessId: 2060 Image: C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe CommandLine: "C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe" ParentProcessId: 1968 ParentImage: C:\Windows\explorer.exe SHA1=27D99FBCA067F478BB91CDBCB92F13A828B00859 ▶explorer.exe 유저의 클릭으로 Jigsaw.exe실행

 

UtcTime: 2018-02-13 15:44:41.441 ProcessId: 2576 Image: C:\Users\kimhy\AppData\Local\Drpbx\drpbx.exe CommandLine: "C:\Users\kimhy\AppData\Local\Drpbx\drpbx.exe" C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe ParentProcessId: 2060 ParentImage: C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe ▶copy drpbx.exe

 

Process terminated: UtcTime: 2018-02-13 15:44:41.660 ProcessId: 2060 Image: C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe ▶ drpbx.exe kill parents process

 

Process terminated: UtcTime: 2018-02-13 15:50:40.396 ProcessId: 2576 Image: C:\Users\kimhy\AppData\Local\Drpbx\drpbx.exe

 

 

 

2. Regshot

 

HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\EnableFileTracing: 0x00000000 HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\EnableConsoleTracing: 0x00000000 HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\FileTracingMask: 0xFFFF0000 HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\ConsoleTracingMask: 0xFFFF0000 HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\MaxFileSize: 0x00100000 HKLM\SOFTWARE\Microsoft\Tracing\drpbx_RASMANCS\FileDirectory: "%windir%\tracing" HKU\S-1-5-21-3088076523-2200090595-96777359-1000\Software\Microsoft\Windows\CurrentVersion\Run\firefox.exe: "C:\Users\kimhy\AppData\Roaming\Frfx\firefox.exe" HKU\S-1-5-21-3088076523-2200090595-96777359-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe: "Firefox" HKU\S-1-5-21-3088076523-2200090595-96777359-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Users\kimhy\Desktop\malware\Ransomware.Jigsaw\jigsaw.exe: "Firefox"

 

 

 

 

3. Promon

 

 

 

# copy self to firefox.exe, drpbx.exe를 하는 것을 확인

 

 

# 파일들을 암호화는 것을 확인 원래 파일은 삭제한다. (옵션확인)

 

 

# Address.txt 파일 생성확인

 

# Encryption.txt 파일 생성확인(실제로 위의 경로에 들어가면 다음과 같이 파일이 존재한다.)