URL: | https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Jigsaw/Ransomware.Jigsaw.zip?raw=true |
Full analysis: | https://app.any.run/tasks/715ec816-5a90-4ac1-bac0-ee54280caac8 |
Verdict: | Malicious activity |
Threats: | Ransomware is a type of malicious software that locks users out of their system or data using different methods to force them to pay a ransom. Most often, such programs encrypt files on an infected machine and demand a fee to be paid in exchange for the decryption key. Additionally, such programs can be used to steal sensitive information from the compromised computer and even conduct DDoS attacks against affected organizations to pressure them into paying. |
Analysis date: | January 14, 2022, 20:56:07 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MD5: | D4B7AF871CC7EF844BCDBDC4D1A0163F |
SHA1: | 17CF4CC6A015795E2C036A4BBA327D4A9E7592E4 |
SHA256: | D823EBF3AFA34FBAFF9DB8AE5AFE2CB9280B1394A851EC4B280663A9FEE16F57 |
SSDEEP: | 3:N8tEdsxHuJKqIEHDhzzu+R/DEj:2u6tuJKz+ByK/Yj |
PID | CMD | Path | Indicators | Parent process | |||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
3464 | "C:\Program Files\Mozilla Firefox\firefox.exe" "https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Jigsaw/Ransomware.Jigsaw.zip?raw=true" | C:\Program Files\Mozilla Firefox\firefox.exe | — | Explorer.EXE | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
3812 | "C:\Program Files\Mozilla Firefox\firefox.exe" https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Jigsaw/Ransomware.Jigsaw.zip?raw=true | C:\Program Files\Mozilla Firefox\firefox.exe | firefox.exe | ||||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2744 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3812.0.1603837660\694914555" -parentBuildID 20201112153044 -prefsHandle 1136 -prefMapHandle 828 -prefsLen 1 -prefMapSize 238726 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3812 "\\.\pipe\gecko-crash-server-pipe.3812" 1224 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 1 Version: 83.0 Modules
| |||||||||||||||
3388 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3812.6.1406186389\2018630751" -childID 1 -isForBrowser -prefsHandle 3124 -prefMapHandle 3120 -prefsLen 245 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3812 "\\.\pipe\gecko-crash-server-pipe.3812" 3136 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1768 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3812.13.793667954\349675716" -childID 2 -isForBrowser -prefsHandle 1992 -prefMapHandle 2012 -prefsLen 6644 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3812 "\\.\pipe\gecko-crash-server-pipe.3812" 1964 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
1792 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3812.20.2080788669\1574985923" -childID 3 -isForBrowser -prefsHandle 3600 -prefMapHandle 2040 -prefsLen 7399 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3812 "\\.\pipe\gecko-crash-server-pipe.3812" 3612 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2300 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3812.27.1427973711\1723732071" -childID 4 -isForBrowser -prefsHandle 3832 -prefMapHandle 3828 -prefsLen 7470 -prefMapSize 238726 -parentBuildID 20201112153044 -appdir "C:\Program Files\Mozilla Firefox\browser" - 3812 "\\.\pipe\gecko-crash-server-pipe.3812" 3844 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: LOW Description: Firefox Exit code: 0 Version: 83.0 Modules
| |||||||||||||||
2292 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Ransomware.Jigsaw.zip" | C:\Program Files\WinRAR\WinRAR.exe | Explorer.EXE | ||||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Exit code: 0 Version: 5.91.0 Modules
| |||||||||||||||
3404 | "C:\Users\admin\Desktop\Jigsaw Ransomware.exe" | C:\Users\admin\Desktop\Jigsaw Ransomware.exe | Explorer.EXE | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 37.0.2.5583 Modules
| |||||||||||||||
756 | "C:\Users\admin\AppData\Local\Drpbx\drpbx.exe" C:\Users\admin\Desktop\Jigsaw?Ransomware.exe | C:\Users\admin\AppData\Local\Drpbx\drpbx.exe | Jigsaw Ransomware.exe | ||||||||||||
User: admin Integrity Level: MEDIUM Description: Firefox Version: 37.0.2.5583 Modules
|
(PID) Process: | (3464) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Launcher |
Value: 5A9458A070000000 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Browser |
Value: 449B58A070000000 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Launcher |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry |
Value: 0 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\DllPrefetchExperiment |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox\firefox.exe |
Value: 0 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableTelemetry |
Value: 1 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|DisableDefaultBrowserAgent |
Value: 0 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|ServicesSettingsServer |
Value: https://firefox.settings.services.mozilla.com/v1 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Mozilla\Firefox\Default Browser Agent |
Operation: | write | Name: | C:\Program Files\Mozilla Firefox|SecurityContentSignatureRootHash |
Value: 97:E8:BA:9C:F1:2F:B3:DE:53:CC:42:A4:E6:57:7E:D6:4D:F4:93:C2:47:B4:14:FE:A0:36:81:8D:38:23:56:0E | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings |
Operation: | write | Name: | ProxyEnable |
Value: 0 | |||
(PID) Process: | (3812) firefox.exe | Key: | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections |
Operation: | write | Name: | SavedLegacySettings |
Value: 460000003B010000090000000000000000000000000000000400000000000000C0E333BBEAB1D3010000000000000000000000000100000002000000C0A80164000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 |
PID | Process | Filename | Type | |
---|---|---|---|---|
3812 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\startupCache\scriptCache-current.bin | — | |
MD5:— | SHA256:— | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite | — | |
MD5:— | SHA256:— | |||
3812 | firefox.exe | C:\Users\admin\AppData\Local\Temp\mz_etilqs_eZA1PMrFOiFCPl2 | binary | |
MD5:351821E41EC0086E5EE4B40B74B78C7C | SHA256:7D0661D8684356385C846B65461F3E45C1F187264BC7C9AF978218FCA02FC8B8 | |||
3812 | firefox.exe | C:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\qldyz51w.default\settings\main\ms-language-packs\asrouter.ftl.tmp | text | |
MD5:3625F1DDA6D119478AD89D13950C9ACA | SHA256:CB40F6A8D58901D612A86690A41D4E273F24936FC926E98F82C0918CBEF4FC64 | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\sessionCheckpoints.json.tmp | binary | |
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A | SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\cookies.sqlite-shm | binary | |
MD5:B7C14EC6110FA820CA6B65F5AEC85911 | SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-wal | binary | |
MD5:8A78297C5EFC76A41BEE23975B4B1171 | SHA256:B57D190C6EE4D308B259BD5CA19D15482FE34E2A0420A6F6A05340BBF9C69964 | |||
3812 | firefox.exe | C:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\qldyz51w.default\places.sqlite-wal | sqlite-wal | |
MD5:F43541099397521846F41165EE120C88 | SHA256:474C48AD80746242D3B5CEB151A945DDE4CDFE5856ECDDA40E784188BB02452D |
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
---|---|---|---|---|---|---|---|---|---|
3812 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 278 b | whitelisted |
3812 | firefox.exe | POST | 200 | 142.250.185.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 471 b | whitelisted |
3812 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3812 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3812 | firefox.exe | POST | 200 | 93.184.220.29:80 | http://ocsp.digicert.com/ | US | der | 471 b | whitelisted |
3812 | firefox.exe | POST | 200 | 142.250.185.131:80 | http://ocsp.pki.goog/gts1c3 | US | der | 472 b | whitelisted |
3812 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt | US | text | 8 b | whitelisted |
3812 | firefox.exe | GET | 200 | 34.107.221.82:80 | http://detectportal.firefox.com/success.txt?ipv4 | US | text | 8 b | whitelisted |
PID | Process | IP | Domain | ASN | CN | Reputation |
---|---|---|---|---|---|---|
3812 | firefox.exe | 34.107.221.82:80 | detectportal.firefox.com | — | US | whitelisted |
3812 | firefox.exe | 93.184.220.29:80 | ocsp.digicert.com | MCI Communications Services, Inc. d/b/a Verizon Business | US | whitelisted |
3812 | firefox.exe | 52.26.7.9:443 | location.services.mozilla.com | Amazon.com, Inc. | US | unknown |
3812 | firefox.exe | 142.250.184.234:443 | safebrowsing.googleapis.com | Google Inc. | US | whitelisted |
3812 | firefox.exe | 52.40.115.173:443 | push.services.mozilla.com | Amazon.com, Inc. | US | suspicious |
3812 | firefox.exe | 143.204.98.30:443 | content-signature-2.cdn.mozilla.net | — | US | suspicious |
3812 | firefox.exe | 185.199.108.133:443 | raw.githubusercontent.com | GitHub, Inc. | NL | malicious |
3812 | firefox.exe | 142.250.185.131:80 | ocsp.pki.goog | Google Inc. | US | whitelisted |
3812 | firefox.exe | 143.204.98.33:443 | firefox.settings.services.mozilla.com | — | US | suspicious |
3812 | firefox.exe | 140.82.121.3:443 | github.com | — | US | suspicious |
Domain | IP | Reputation |
---|---|---|
detectportal.firefox.com |
| whitelisted |
prod.detectportal.prod.cloudops.mozgcp.net |
| whitelisted |
github.com |
| shared |
firefox.settings.services.mozilla.com |
| whitelisted |
example.org |
| whitelisted |
ipv4only.arpa |
| whitelisted |
location.services.mozilla.com |
| whitelisted |
locprod2-elb-us-west-2.prod.mozaws.net |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
cs9.wac.phicdn.net |
| whitelisted |
PID | Process | Class | Message |
---|---|---|---|
3812 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |
3812 | firefox.exe | Potentially Bad Traffic | ET INFO Terse Request for .txt - Likely Hostile |