File name:

ransomware jigsaw.exe

Full analysis: https://app.any.run/tasks/b9c5c5fb-136e-44c5-b388-529b727c6982
Verdict: Malicious activity
Analysis date: March 27, 2023, 22:14:36
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-dosexec
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
MD5:

2773E3DC59472296CB0024BA7715A64E

SHA1:

27D99FBCA067F478BB91CDBCB92F13A828B00859

SHA256:

3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7

SSDEEP:

6144:7fukPLPvucHiQQQ4uuy9ApZbZWxcZt+kTfMLJTOAZiYSXjjeqXus:7fu5cCT7yYlWi8kTfMLJTOAZiYSXjyqX

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • drpbx.exe (PID: 876)

    • Actions looks like stealing of personal data

      • drpbx.exe (PID: 876)

  • SUSPICIOUS

    • Starts itself from another location

      • ransomware jigsaw.exe (PID: 2368)

    • Executable content was dropped or overwritten

      • ransomware jigsaw.exe (PID: 2368)

    • Reads the Internet Settings

      • ransomware jigsaw.exe (PID: 2368)
      • rundll32.exe (PID: 3480)

  • INFO

    • The process checks LSA protection

      • ransomware jigsaw.exe (PID: 2368)
      • explorer.exe (PID: 3812)
      • drpbx.exe (PID: 876)

    • Reads the computer name

      • ransomware jigsaw.exe (PID: 2368)

    • Checks supported languages

      • ransomware jigsaw.exe (PID: 2368)
      • drpbx.exe (PID: 876)

    • Reads the machine GUID from the registry

      • ransomware jigsaw.exe (PID: 2368)
      • drpbx.exe (PID: 876)

    • Creates files or folders in the user directory

      • ransomware jigsaw.exe (PID: 2368)
      • drpbx.exe (PID: 876)

    • Manual execution by a user

      • explorer.exe (PID: 3812)
      • rundll32.exe (PID: 3480)

    • Create files in a temporary directory

      • drpbx.exe (PID: 876)
      • iexplore.exe (PID: 3876)

    • Creates files in the program directory

      • drpbx.exe (PID: 876)

    • Application launched itself

      • iexplore.exe (PID: 3876)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (61.6)
.dll | Win32 Dynamic Link Library (generic) (14.6)
.exe | Win32 Executable (generic) (10)
.exe | Win16/32 Executable Delphi generic (4.6)
.exe | Generic Win/DOS Executable (4.4)

EXIF

EXE

AssemblyVersion: 37.0.2.5583
ProductVersion: 37.0.2.5583
ProductName: Firefox
OriginalFileName: BitcoinBlackmailer.exe
LegalTrademarks: -
LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers. All rights reserved.
InternalName: BitcoinBlackmailer.exe
FileVersion: 37.0.2.5583
FileDescription: Firefox
CompanyName: -
Comments: -
CharacterSet: Unicode
LanguageCode: Neutral
FileSubtype: -
ObjectFileType: Executable application
FileOS: Win32
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 37.0.2.5583
FileVersionNumber: 37.0.2.5583
Subsystem: Windows GUI
SubsystemVersion: 4
ImageVersion: -
OSVersion: 4
EntryPoint: 0x4e00a
UninitializedDataSize: -
InitializedDataSize: 216576
CodeSize: 72704
LinkerVersion: 8
PEType: PE32
ImageFileCharacteristics: Executable, 32-bit
TimeStamp: 2016:03:31 06:28:14+00:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_GUI
Compilation Date: 31-Mar-2016 06:28:14
Comments: -
CompanyName: -
FileDescription: Firefox
FileVersion: 37.0.2.5583
InternalName: BitcoinBlackmailer.exe
LegalCopyright: Copyright 1999-2012 Firefox and Mozzilla developers. All rights reserved.
LegalTrademarks: -
OriginalFilename: BitcoinBlackmailer.exe
ProductName: Firefox
ProductVersion: 37.0.2.5583
Assembly Version: 37.0.2.5583

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000080

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 5
Time date stamp: 31-Mar-2016 06:28:14
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
\x01\x1e!mmUPp`B\x03
0x00002000
0x00034260
0x00034400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.99912
.text
0x00038000
0x00011878
0x00011A00
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
5.39056
.rsrc
0x0004A000
0x00000650
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
3.58099
.reloc
0x0004C000
0x0000000C
0x00000200
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
0.0980042
0x0004E000
0x00000010
0x00000200
IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
0.13873

Resources

Title
Entropy
Size
Codepage
Language
Type
1
5.00112
490
UNKNOWN
UNKNOWN
RT_MANIFEST

Imports

mscoree.dll
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
44
Monitored processes
6
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
drop and start start ransomware jigsaw.exe drpbx.exe explorer.exe no specs rundll32.exe no specs iexplore.exe iexplore.exe

Process information

PID
CMD
Path
Indicators
Parent process
876"C:\Users\admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\admin\AppData\Local\Temp\ransomware?jigsaw.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exe
ransomware jigsaw.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\drpbx\drpbx.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1620"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:3876 CREDAT:267521 /prefetch:2C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
2368"C:\Users\admin\AppData\Local\Temp\ransomware jigsaw.exe" C:\Users\admin\AppData\Local\Temp\ransomware jigsaw.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
37.0.2.5583
Modules
Images
c:\users\admin\appdata\local\temp\ransomware jigsaw.exe
c:\windows\system32\kernel32.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\ntdll.dll
3480"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\admin\Desktop\viewsavailability.rtf.funC:\Windows\System32\rundll32.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
3812"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3876"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?LinkId=57426&Ext=funC:\Program Files\Internet Explorer\iexplore.exe
rundll32.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
11.00.9600.16428 (winblue_gdr.131013-1700)
Total events
76 920
Read events
76 904
Write events
16
Delete events
0

Modification events

(PID) Process:(2368) ransomware jigsaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2368) ransomware jigsaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2368) ransomware jigsaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2368) ransomware jigsaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
4
Suspicious files
1 924
Text files
340
Unknown types
20

Dropped files

PID
Process
Filename
Type
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\branding.xml.funbinary
MD5:AF3B47EE3239EE27A36DF974BA6FF35A
SHA256:FD6C354E84802174AB77076F4167F39BD68CAB971EC46A80000BDB8150F05CF5
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:C004E8491FF15DE08F1FA4E4C998A799
SHA256:11F36C2CDDB7ACFBE430A304D826F2D3921826B33B08A9A82624AD6ADB3D3C74
2368ransomware jigsaw.exeC:\Users\admin\AppData\Local\Drpbx\drpbx.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\branding.xml.funbinary
MD5:FD2ABF1B947745C51FC989779BC0A002
SHA256:21CF977AA01CC53D7C5C54A2C448755455F033AA35953A8CB969E19F221FF4CE
2368ransomware jigsaw.exeC:\Users\admin\AppData\Roaming\Frfx\firefox.exeexecutable
MD5:2773E3DC59472296CB0024BA7715A64E
SHA256:3AE96F73D805E1D3995253DB4D910300D8442EA603737A1428B613061E7F61E7
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\Setup.xml.funbinary
MD5:860C56F71AB56F0CA8B9ABC82C367055
SHA256:381BFAE8DFCC0EC9CCB74BBC0E96671C16D82A742BAD7C8715FAB55D10183521
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:B8E36A31142237D9E5C6A18056D448C1
SHA256:9E30A1A8685998EC8227FAA33A0FD0B2485FF430C4A3D4FC41CDAC6C33F33BE7
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\Setup.xml.funbinary
MD5:F5E7F47DD11D3B203003805B6E709333
SHA256:B865AB1E62E3579C6ADA2E4BD3A0F0AA13064F61A2AC61429FA0DFF7B8EAB4D7
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0412-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:BE69A75BD6978E7B30052A13C5114286
SHA256:28EED436E0C07E16B4ACC4EDFA02F0F26C45A2423257EFFA6CE6999E45BFA277
876drpbx.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccessMUI.xml.funbinary
MD5:28441B8C917510D970D6180D613CE8E0
SHA256:5965C7D4E0173C8DFB8F976D47B0EC3FC8D3FF2200B39155E1440D7EDDA7CC53
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
13
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1620
iexplore.exe
GET
301
2.21.20.141:80
http://shell.windows.com/fileassoc/fileassoc.asp?Ext=fun
DE
whitelisted
1620
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA8Ull8gIGmZT9XHrHiJQeI%3D
US
der
1.47 Kb
whitelisted
1620
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEALnkXH7gCHpP%2BLZg4NMUMA%3D
US
der
471 b
whitelisted
1620
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%2BghUNoZ7OrUETfACEA%2BnRyLFPYjID1ie%2Bx%2BdSjo%3D
US
der
1.47 Kb
whitelisted
1620
iexplore.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
US
der
471 b
whitelisted
1620
iexplore.exe
GET
200
93.184.221.240:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?230e2f6622aa1e49
US
compressed
4.70 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1620
iexplore.exe
95.100.53.90:443
go.microsoft.com
AKAMAI-AS
CH
suspicious
1620
iexplore.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1620
iexplore.exe
93.184.221.240:80
ctldl.windowsupdate.com
EDGECAST
GB
whitelisted
1620
iexplore.exe
2.21.20.141:80
shell.windows.com
Akamai International B.V.
DE
suspicious
1620
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
152.199.19.161:443
iecvlist.microsoft.com
EDGECAST
US
whitelisted
1620
iexplore.exe
23.36.163.98:443
r.bing.com
Akamai International B.V.
DE
suspicious
1620
iexplore.exe
40.126.32.76:443
login.microsoftonline.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3876
iexplore.exe
204.79.197.200:443
www.bing.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
go.microsoft.com
  • 95.100.53.90
whitelisted
ctldl.windowsupdate.com
  • 93.184.221.240
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
shell.windows.com
  • 2.21.20.141
  • 2.21.20.150
whitelisted
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
r.bing.com
  • 23.36.163.98
  • 23.36.163.116
whitelisted
th.bing.com
  • 23.36.163.98
  • 23.36.163.116
whitelisted
api.bing.com
  • 13.107.5.80
whitelisted
login.microsoftonline.com
  • 40.126.32.76
  • 20.190.160.14
  • 20.190.160.20
  • 40.126.32.138
  • 40.126.32.134
  • 40.126.32.72
  • 20.190.160.22
  • 40.126.32.133
whitelisted
iecvlist.microsoft.com
  • 152.199.19.161
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ransomware jigsaw.exe