ServHelper 2.0: Enriched with bot capabilities and allow remote desktop access

Debug build of Jigsaw Ransomware contains SMTP email credentials

The SonicWall Capture Labs Threat Research Team observed reports of a new version of the Jigsaw ransomware. The version analysed here appears to be an early debug build and sports a new interface, a significant departure from interfaces using clown images in previous versions. As this is a test version of the malware, no encryption actually takes place.

Infection Cycle:

The malware exeutable file contains the following metadata:

SonicWall Capture Labs Threat Research Team

Upon execution it displays the following message box:

Jigsaw Ransomware

It brings up the following dialog:

The “View encrypted files” button brings up the following page:

SonicWall Capture Labs Threat Research Team

The following files are added to the system:

  • %APPDATA%SkinSoftVisualStyler2.4.59444.6x86ssapihook.dll
  • {run location}EncryptedFileList.txt
  • {run location}FileSystemSimulationNotTxtTest.nottxt
  • {run location}FileSystemSimulationTxtTest.txt.die (empty file)
  • {run location}Newtonsoft.Json.dll
  • {run location}SkinSoft.VisualStyler.dll

NotTxtTest.nottxt contains the following text:

I am NOT a txt test.

EncryptedFileList.txt contains the following text:

{run location}FileSystemSimulationTxtTest.txt

Nothing is actually encrypted on the system. Presumably, this is because it is a debug version.

The malware executable file contains the following string:

  • C:UsersMoisesDesktopjigsawransomware2019-masterJigsawRansomwareobjDebugJigsawRansomware.pdb

The malware makes the following DNS requests:

  • hostas8.cf
  • google-analytics.com
  • ip-api.com
  • osdsoft.com

The following network traffic was observed between the malware and the hosts listed above:

Jigsaw Ransomware

SonicWall Capture Labs Threat Research Team

Jigsaw Ransomware

A further look into the executable file reveals credentials for 1455 SMTP email accounts:

SonicWall Capture Labs Threat Research Team

The BTC address (3DCMs9XgBi6HDigyPggqhrpMYuwp3d81rM) has some transaction history. However, it is not certain whether or not the transactions are directly related to ransom payments:

Jigsaw Ransomware

SonicWall Capture Labs provides protection against this threat via the following signature:

  • GAV: Jigsaw.RSM_26 (Trojan)

This threat is also detected by SonicWALL Capture ATP w/RTDMI and the Capture Client endpoint solutions.

** Optrics Inc. is an Registered SonicWall partner


The original article can be found here:

https://securitynews.sonicwall.com/xmlpost/debug-build-of-jigsaw-ransomware-in-the-wild/

About the Author: Shannon Lewis

Leave a Reply

%d bloggers like this: