Thursday, Apr 21, 2016

JIGSAW - Some of the Missing Pieces


Forcepoint Security Labs has already blogged recently about the JIGSAW crypto-ransomware outbreaks that have been reported in the media.  We decided to perform a little more investigation into the malware and see what we could find.  What we briefly found offers some insight into the economics of JIGSAW, the 'black' marketplace it is traded from and the level (or absence) of sophistication in the author and his/her customers.

Learn to Spell.  Armed with a number of variants of the malware we have been able to perform some very simple static analysis.  For instance, taking a number of the recently seen variants of JIGSAW and using the excellent exiftool from Steve Harvey (SEE: we can compare things like their sizes, their time stamps (when they were built) and any distinguishing text in each sample.  In this case we spotted the fake Copyright notice:

What stands out here is that there is a spelling mistake in all but one of the samples and a different date range in another.  Even more odd because these anomalies are in the middle of the list of samples when sorted on the time they were built (time stamp). Why modify a date and fix the typo and then refer  again?

What appears to be going on here, and confirmed later, is that the malware is being re-built by different people and that some are likely to be modifying some of the details to avoid detection by standard AV techniques.

Searching for Text.  If we take the full text "Copyright 1999-2012 Firefox and Mozzilla developers. All rights reserved." and search using Google we get 17 hits.  All but one of these hits is relating to reports generated by automated malware analysis tools.  The odd-one-out in this case is a link to a Tor site:

Helpful but hardly humble about their capability, our author's landing page then directs us their shop-front on a Tor market place:

And here we find his page for the JIGSAW malware kit:

How Much?  $139 dollars.  And what does a purchaser get for the equivalent of flipping burgers for 20 hours?  This buys the source code for JIGSAW written in C#.  The seller is kind enough to provide a guide to building and deploying the malware which is of course available online.  Of course, if we use a tool such as DotPEEK we can decompile the C#/.NET Assembly back to source code without any trouble.

Sales Figures.  The malware author appears to have sold 24 times since 04/MAR/2016.  At $139 per customer this $3,336.  On the feedback page for the malware he has 8 separate and glowing reviews:

Unfortunately for the buyers, the return on investment seems to be abysmally low. Forcepoint Security Labs extracted the ransom Bitcoin addresses for 4 samples. It was found that in 2 cases the extortionist received no ransom payment at all, in one case they received $1 worth of Bitcoin (which may have been merely a test) and the most successful one received a total of $89 worth of Bitcoin.

Building the Software. The author has kindly documented how to configure and build the software:

But here in lies a significant problem.  For all the guidance and point-and-click approach to building the software the author does not provide advise on stripping out text from the executable malware produced.  Any entry-level malware analyst knows to check for the build strings in an executable.  Quite often, when built in visual studio, a program will have the full path name to the build project.  Here are some examples:

c:\users\***********\documents\visual studio 2015\Projects\BitcoinBlackmailer\obj\Release\BitcoinBlackmailer.pdb
C:\Users\***********\Music\New folder\BitcoinBlackmailer\obj\Release\BitcoinBlackmailer.pdb

As can be seen from above, some customers are smart enough to know to use a generic account name on the machine they are doing bad things with.  Some however, are not.  Real names appear in some examples and allow investigators to start to bracketing-in on the bad-guys actually running the extortion scams.


A genius malware author this is not, the use of C#/.NET makes it trivial to reverse engineer and analyse.  At the current rate, by selling the source code for the software is not going to generate nearly enough money to pay for much, let alone that sports car.  Finally, the customers who have purchased this kit are non too smart either, even with the documentation available some have left their names in the malware.  With the Internet come the darker edges accessible via Tor.  Within the Tor anyone,  including our malware author, A.K.A 'funWithCode' can set-up shop and peddle their wares to like minded individuals.

This could have been funny if it were not true.  A mediocre and greedy techie writes a 2nd rate piece of malware that is designed to scare people into parting with their money.  He (or she) sells it to a group of customers who are not that techno-savy but are equally greedy and devoid of any morals. Hardly a happy story.  But, if we needed an illustration of bad programmers selling to somewhat inept 'wannabe' criminals via the unregulated 'dark web', this is probably good enough for now.

About the Author