Malware Analysis Analysis - MSIL.Ransomware.Jigsaw

JM Safe

Level 39
Thread author
Verified
Top Poster
Apr 12, 2015
2,882
Hello to everyone, today I made an analysis of a sample of MSIL.Ransomware.Jigsaw.

MD5: 0767d39b7ebcd4be025aec94f1795e36
SHA1: 9a8ba27886068b0940745eedab82adfd84ff55e4
SHA256: 2e5d74199ee2ea4344afc3a76d9eeda6229d0a480e879fd764298527141e487d


I used StudPE to make a general analysis of the PE, the file sections, imports, etc.
This is the result:

a.png


The malware has 3 file sections, and the imported function is mscoree.dll (really common in .NET PE)

b.png


The malware analyzed hasn't any exported functions, as you can see in the screenshot above.

c.png


In the screenshot above we can see all the file sections of the malware:

  • .text: instructions executed by the CPU
  • .rsrc: resources used by the malware (images, icons, etc.)
  • .reloc: this section contains a table of relocations (adjustment or fix to an instruction)
Here below there are the resources of the malware:

d.png


Then I reversed the malware using ILSpy, and here is the result:

f.png


The malware gets the executing assembly files and it returns, it gathers the manifest resource stream, by using as input a string (the path of the file).
Then it decompress the manifest resource stream and it creates a new deflate stream, after that it copies the deflate stream into the memory stream with an AssemblyLoader variable.

g.png


Here are some variable names really interesting: the encryption password (used by the ransomware to encrypt personal files), "Activated" and, of course, "RansomUsd".

h.png


We can see now messages of the ransomware, it says that our personal files are encrypted and we cannot access them, and in addition there are informations about ransomware payment (Bitcoin). The malware uses the function "Environment.NewLine" to write the messages.

i.png


Then we have a timer activated and the method called "EncryptFileSystem()":

l.png


It gets all files of our drives and it encrypts them, then it adds an extensions to all files encrypted: .fun

m.png


This method allows to get all encrypted files and it adds each file to an hashset.

n.png


With this method instead it gets all extensions file to encrypt.

o.png


This is a form (window) displays all encrypted files (with .fun extensions).

p.png


This is a method used to delete all encrypted files (it is used the method GetEncryptedFiles()) and it checks the Bitcoin address.

q.png


Here above the ransomware checks if the payment has been done.

r.png


Here is a method used to decrypt files (it checks if the files are not encrypted, by checking the extension .fun). Obviously it uses an aesCryptoServiceProvider and a key (password) to decrypt the files encrypted.

s.png


Here is a method used to decrypt multiple files and it calls again the method DecryptFile().

t.png


These are two other methods used to encrypt single and multiple files on the infected system.

u.png


Thanks for reading! ;)
 

Attachments

  • e.png
    e.png
    39.8 KB · Views: 388

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top