Jigsaw Ransomware Analysis
In this blog we are analyzing Jigsaw ransomware through both static and dynamic approaches with the end goal of finding the kill switch, and uncovering the decryption key. The two disciplines contained within the canopy of ransomware analyses are static and dynamic.
Static analyses is the process of reviewing the source code and structure or flow of the binary to learn its intended behaviors and various functions. During this time the binary has not been executed. Dynamic analyses on the other hand requires us to execute or launch the malware, to perform live analyses during run time of the processes, services and system modifications.
A little about Jigsaw Ransomware
This malicious and clever software is named after the character from the horror movie Saw. By deleting files every hour for the first 24 hours this ransomware is unique to other variants which routinely just encrypt your files and request a payment at your earliest convenience. Jigsaw applies further pressure by threatening to delete 1000 files if the system should be restarted, or the process modified.
Furthermore, instead of the regular ransomware instructions on how to make payments with crypto currency and a user friendly step by step guide, Jigsaw only provides a link on where to obtain Crypto Currency.
Tools used
Ghidra - Decompile .Net
Glasswire - Live network connection monitoring
Watch4 folder - Live file monitoring
WireShark - Network traffic monitoring
Hybrid Analyses - Sandboxing
Dotpeek - Decompile .NET
Static Analyses - Jigsaw Ransomware
1. Headers
Headers indicate the file is a PE32 that was packed with Morphine v1.2 and may contain obfuscation to help hide itself or its dropped files.
2. Antivirus scanning
Windows defender recognized the virus immediately when we unzipped the file. Total virus shows us this is a recognized threat.
3. Hashing
A widely adopted technique to identify malware is by generating a unique hash. This hash is specific to a file and provides authenticity of suspected malware.
The following are hashes for other variants and related files
0C269C5A641FD479269C2F353841A5BF9910888B – Ransom_JIGSAW.A
DC307A673AA5EECB5C1400F1D342E03697564F98 – Ransom_JIGSAW.A
CE42E2C694CA4737AE68D3C9E333554C55AFEE27 – Ransom_JIGSAW.A
1AD9F8695C10ADB69BDEBD6BDC39B119707D500E – Ransom_JIGSAW.B
CA40233610D40258539DA0212A06AF29B07C13F6 – Ransom_JIGSAW.C
F8431CF0A73E4EDE5B4B38185D73D8472CFE2AE7 – Ransom_JIGSAW.C
DCE911B1C05DA965C8733935723B88BC29D12756 – Ransom_JIGSAW.D
3F6E3E5126C837F46A18EE988DBF5756C2B856AA – Ransom_JIGSAW.E
92620194A581A91874A5284A775014E0D71A9DB1 – Ransom_JIGSAW.E
4. Packer/compiler detection
Majority of malware is completely or partially packed as a means to obfuscate itself from signature based detections, while concealing hidden .exe or files within. Some of the common packers are UPX, Morphine and MEW. Packers are a form of obfuscation and this largely puts the responsibility on antivirus software to maintain and update their database with packer related signatures and behaviours. Some historical packers have been able to bypass detection all together such as Armadillo, Shrinker, Cexe and Epack. These packers can inevitably live on a system and continually unpack malware while never allowing the EDR to remove the root cause. You can see below that Morhpine v1.2 was identified as the packer, just like we noticed in the header.
5. Decompile
While decompiling this binary the encryption key was stored in plain text within the binary. This allows for possible decryption of the ransomware if the encryption process and algorithm can be first identified.
Further investigation shows us the AES Crypto Service Provider is called which suggests our ransomware is using AES and we can simply convert our key from text into binary to determine the key length which results in 192 bits.
Dynamic Analyses - Jigsaw Ransomware
1. Dropped files
Generally speaking malware drops various files during runtime and this can provide as a vehicle to gaining deeper insight into binary behaviours and processes. Monitoring for file writes and changes during dynamic analyses will provide a list of dropped files. In the list below we can see that many files were dropped.
The file that immediately stands out is “The DisableWindowsFirewall.cpp” a c++ binary that imports the windows netfw.h header providing control over the windows firewall application.
// Disable Windows Firewall for the Domain profile
hr = pNetFwPolicy2->put_FirewallEnabled(NET_FW_PROFILE2_DOMAIN, FALSE);
The program appears to copy itself to the following location disguising itself as a legitimate program.
%AppData$\Roaming\Frfx\firefox.exe
AppData\Local\Drpbx\drpbx.exe2. Network
This URL was also found during run time which is probably related to the command and control server which is no longer present. In some cases Jigsaw ransomware also included the Athena malware to allow for remote control of the target device.
http://demourl.co.nf/pwd/write.php?info=PC-admin%20cEpFtlMNwZUsZLNuGPQTiT== Wireshark showed us a query to a bitcoin wallet upon requesting file decryption. The ransomware is continually pinging this address to determine if a bitcoin deposit has been made, in which case your files will be unlocked.
3. Processes
We observed jigsaw spawned drpbox.exe and terminated the parent process shortly after to hide its tracks.
4. Registry changes
The following registry keys were changed in order to establish persistence on startup and reboots.
HKCU\Software\Microsoft\Windows\CurrentVersion\Run firefox.exe=C:\Users\admin.admin-PC\AppData\Roaming\Frfx\firefox.exe SIEM Use Case Alerts / Detection
Two very common .dll’s within windows ransomware are CRYPTBASE.dll and CRYPTSP.dll. Use cases can be created to monitor for the use of these .ddl in a binary.
Monitoring for file names with known ransomware extensions can prove invaluable as well.