2017-05-11 - JUMPING ON THE JAFF RANSOMWARE BANDWAGON

ASSOCIATED FILES:

NOTES:

 

EMAILS


Shown above:  Screenshot of spreadsheet tracker.

 


Shown above:  Two examples of these emails.

 

DATES/TIMES:

 

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

 

EXAMPLES OF SUBJECT LINES:

 

FILE NAME FOR ALL ATTACHMENTS:

 

MALWARE


Shown above:  Opening the nm.pdf file provides a malicious Word document with macros.

 


Shown above:  Macros from the embedded Word documents are designed to infect a Windows host with malware.

 

SHA256 HASHES OF PDF FILES ATTACHED TO THESE EMAILS:

 

SHA256 HASHES OF MALICIOUS WORD DOCUMENTS EMBEDDED IN THE ABOVE PDF FILES:

 

JAFF RANSOMWARE SAMPLE DOWNLOADED BY ONE OF THE WORD DOCUMENTS:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:


fkksjobnn43.org didn't resolve in DNS, so I edited the Windows hosts file to get an HTTP request.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Going to the Jaff Decryptor.  Why is "jaff decryptor" in lower-case letters?

 


Shown above:  Wonder what the exchange rate was when they calcuated the bitcoin amount for their ransom.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.