The SonicWall Capture Labs Threat Research Team observed reports of a new version of the Jigsaw ransomware. The version analysed here appears to be an early debug build and sports a new interface, a significant departure from interfaces using clown images in previous versions. As this is a test version of the malware, no encryption actually takes place.
Infection Cycle:
The malware exeutable file contains the following metadata:
Upon execution it displays the following message box:
It brings up the following dialog:
The “View encrypted files” button brings up the following page:
The following files are added to the system:
- %APPDATA%SkinSoftVisualStyler2.4.59444.6x86ssapihook.dll
- {run location}EncryptedFileList.txt
- {run location}FileSystemSimulationNotTxtTest.nottxt
- {run location}FileSystemSimulationTxtTest.txt.die (empty file)
- {run location}Newtonsoft.Json.dll
- {run location}SkinSoft.VisualStyler.dll
NotTxtTest.nottxt contains the following text:
I am NOT a txt test.
EncryptedFileList.txt contains the following text:
{run location}FileSystemSimulationTxtTest.txt
Nothing is actually encrypted on the system. Presumably, this is because it is a debug version.
The malware executable file contains the following string:
C:UsersMoisesDesktopjigsawransomware2019-masterJigsawRansomwareobjDebugJigsawRansomware.pdb
The malware makes the following DNS requests:
hostas8.cf
google-analytics.com
ip-api.com
osdsoft.com
The following network traffic was observed between the malware and the hosts listed above:
A further look into the executable file reveals credentials for 1455 SMTP email accounts:
The BTC address (3DCMs9XgBi6HDigyPggqhrpMYuwp3d81rM) has some transaction history. However, it is not certain whether or not the transactions are directly related to ransom payments:
SonicWall Capture Labs provides protection against this threat via the following signature:
- GAV: Jigsaw.RSM_26 (Trojan)
This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.
** Optrics Inc. is an Registered SonicWall partner
The original article can be found here:
https://securitynews.sonicwall.com/xmlpost/debug-build-of-jigsaw-ransomware-in-the-wild/