2017-05-15 - THE JAFF RANSOMWARE TRAIN KEEPS ON ROLLIN'

ASSOCIATED FILES:

  • 2017-05-15-jaff-ransomware-traffic.pcap   (158,549 bytes)
  • 2017-05-15-Jaff-ransomware-ReadMe.bmp   (3,145,782 bytes)
  • 2017-05-15-Jaff-ransomware-ReadMe.html   (1,431 bytes)
  • 2017-05-15-Jaff-ransomware-ReadMe.txt   (482 bytes)
  • 2017-05-15-Jaff-ransomware-drefudre20.exe   (176,128 bytes)
  • 2017-05-15-jaff-decryptor-index.css   (2,661 bytes)
  • 2017-05-15-jaff-decryptor.html   (5091 bytes)
  • 2017-05-15-malspam-103539-UTC.eml   (72,864 bytes)
  • HHU67.docm   (55,129 bytes)

NOTES:

 

EMAIL


Shown above:  An example of the emails.

 

EMAIL HEADERS:

 

MALWARE


Shown above:  The PDF attachment contains an embedded Word document with malicious macros.

 

ATTACHMENT:

EMBEDDED WORD DOCUMENT:

JAFF RANSOMWARE:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

 


Traffic from the infection filtered in Wireshark.

 


HTTP request for the Jaff ransomware.

 


Post-infection traffic from the infected Windows host.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.