2339
Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware
Malware Analysis | 08/27/2018

Detailed Technical Analysis Report of New Variant of Jigsaw Ransomware


When was the last time you checked your PC health? Do you know your PC requires a regular Check Up!!!

New Variant of Jigsaw Ransomware Overview

Jigsaw is a part of the ransomware family. This is a new variant of Jigsaw ransomware, recently found by the security researcher. It encrypts the victim machine by using the AES encryption method. This variant is not much different from the previous variant which we analyzed a few months back.

This ransomware targets 100+ File extensions whereas in the previous version it only targets 15 File Extensions.

In this new Variant, It appends the filename of the affected file by adding .FuckedbyGhost whereas in the previous version it appends the filename by adding .fun extension in the last. As per the ransom note, this ransomware will delete some files in every hour if the user didn’t pay the ransom amount on time.

This ransomware demands 30$ through bitcoins at following bitcoin address: 12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47

Whereas, in the previous version it demands 100$ at following bitcoin address: 1Hd3tU8MDmuVotMgGJTJ7svzvPey6bfUgm

Similar read, Detailed Technical Analysis Report of Ryuk Ransomware

Flowchart

FlowChart

Technical Analysis of New Variant of Jigsaw Ransomware

File Name: Jigsaw.exe

MD5: DFABB15B3BF9BC533BD55E21B64A5FF0

File Type: .EXE

Spread Via:  Not Known Yet.

malware crusher

 

Detail Description of Jigsaw Ransomware with Screenshots

On execution of this ransomware it first gets & set the %appdata% path & copy itself into at following location:

%Appdata%\Roaming\Wind0s\cRe.exe

%\Appdata%\Local\mİCROSs\Mic.exe

 

Thereafter, it creates the Autorun entry in the registry so, that at each boot time it gets self-started.

 

HKCU\Software\Microsoft\Windows\CurrentVersion\Run          cRe.exe=C:\Users\admin.admin-PC\AppData\Local\mİCROSs\Mic.exe

 

 

Configuration Info

Figure 1 Configuration Information

 

As per the above configuration code, this ransomware generates the fake error message of Dot Net Framework 4.5.1 Requirement.

Fake Dot Net Message

Figure 2 Fake Dot Net Requirement

This ransomware targets 117 file extensions:

.jpg

.wpd

.m3u

.cs

.xlw

.mpg

.vcf

.sldx

.jpeg

.wps

.m4u

.h

.ppt

.wmv

.xml

.sldmwav

.raw

.msg

.mid

.php

.pot

.vob

.sesrar

.mp3

.tif

.pdf

.mpa

.asp

.pps

.m3u8

.zip

.aif

.gif

.xls

.wma

.rb

.pptx

.mkvdat

.7zip

.iff

.png

.xlt

.ra

.java

.pptm

.csv

.svg

.idml

.bmp3dm

.xlm

.avi

.jar

.potx

.efx

.swf

.pmd

.maxaccdb

.xlsx

.mov

.class

.potm

.sdf

.fla

.ps

.db

.xlsm

.mp4

.py

.aet

.ppam

.as3

.3g2

.dbf

.xltx

.3gp

.jsaaf

.ppj

.ppsx

.astxt

.asf

.mdb

.xltm

.mpeg

.aep

.psd

.ppsm

.dotx

.asx

.pdb

.xlsb

.xll

.aepx

.inx

.indd

.xqx

.flv

.sqldwg

.xla

.xqx

.plb

.cpp

.indl

.ai

.doc

.dxfc

.xlam

.docx

.prel

.dotm

.indt

.eps

.dot

.rtf

.docm

.prproj

.indb

.docb

 

 

This ransomware appends the affected filename by adding .Fuckedbyghost in the last & shows the ransom screen that contains the Welcome Message with Countdown Time.

Ransom Note

Figure 3 Ransom Message Screen

The victim can easily restore the files by going back to the old restore point because this ransomware doesn’t delete any Volume Shadow Copies.

Every time this ransomware creates the different decryption key & then it tries to connect their C&C (Command & Control) server to check whether the payment has been done or not.

As per the ransom note victim has demanded 30$ in the form of bitcoins at following bitcoin address:

12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47

On closing the ransom note screen, it shows the following message to the user.

 Bad Decision

Figure 4 Bad Decision Pop Up

 IOC’s

Associated File Names & Hashes:

File Name

Hash

Sample.exe

DFABB15B3BF9BC533BD55E21B64A5FF0

Associated File Paths:

%Appdata%\Roaming\Wind0s\cRe.exe

%\Appdata%\Local\mİCROSs\Mic.exe

 

Associated Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run          cRe.exe=C:\Users\admin.admin-PC\AppData\Local\mİCROSs\Mic.exe

Associated Bitcoin Address:

12XE5ncLCxDcXPAXWuTd3JentLZNCF3a47

A quick demonstration of something similar, Detailed Technical Analysis Report of Total Wipe Out Ransomware would be interesting as well. 

Are you worried about your PC health?

Check your PC Health for Free!

Powered By:howtoremoveit.info Run Free Scan


Tips to Prevent virus and malware from Infecting Your System:

  1. Enable your popup blocker: Pop-ups and ads on the websites are the most adoptable tactic used by cybercriminals or developers with the core intention to spread malicious programs.
    So, avoid clicking uncertain sites, software offers, pop-ups etc. and Install a powerful ad- blocker for ChromeMozilla, and IE
  2. Keep your Windows Updated: To avoid such infections, we recommend that you should always keep your system updated through automatic windows update.By doing this you can keep your device free from virus.According to the survey, outdated/older versions of Windows operating system are an easy target.
  3. Third-party installation: Try to avoid freeware download websites as they usually install bundled of software with any installer or stub file.
  4. Regular Backup: Regular and periodical backup helps you to keep your data safe in case the system is infected by any kind of virus or any other infection.Thus always backup important files regularly on a cloud drive or an external hard drive.
  5. Always have an Anti-Virus: Precaution is better than cure. We recommend that you install an antivirus like ITL Total Security or a good Malware Removal Tool like Download Virus RemovalTool

Newsletter

Are your devices Secure?

Best Anti-Malware program in 2018

ad_computer_work
Start Scan Now  Download Time: less than 1 minute
×
×

1

indicatorImg_logo
mlcsetup
2

3

1

2

3

1

2

3