2017-05-16 - MORE EXAMPLES OF JAFF RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-05-16-Jaff-ransomware-malspam-traffic.pcap   (97,799 bytes)
  • 2017-05-16-Jaff-ransomware-malspam-tracker.csv   (3,024 bytes)
  • 2017-05-16-133459-UTC-Invoice.pdf   (52,399 bytes)
  • 2017-05-16-141909-UTC-Invoice.pdf   (52,239 bytes)
  • 2017-05-16-142344-UTC-Invoice.pdf   (52,322 bytes)
  • 2017-05-16-142529-UTC-Invoice.pdf   (52,322 bytes)
  • 2017-05-16-142819-UTC-Invoice.pdf   (52,322 bytes)
  • 2017-05-16-143514-UTC-Invoice.pdf   (52,322 bytes)
  • 2017-05-16-144044-UTC-Invoice.pdf   (52,322 bytes)
  • 2017-05-16-145739-UTC-Invoice.pdf   (52,464 bytes)
  • 2017-05-16-150804-UTC-Invoice.pdf   (52,439 bytes)
  • 2017-05-16-155014-UTC-Invoice.pdf   (52,214 bytes)
  • 2017-05-16-173344-UTC-Invoice.pdf   (52,185 bytes)
  • 2017-05-16-182134-UTC-Invoice.pdf   (51,875 bytes)
  • 2017-05-16-Jaff-Decryptor-index.css   (2,661 bytes)
  • 2017-05-16-Jaff-Decryptor.html   (5,090 bytes)
  • 2017-05-16-Jaff-ransomware-ReadMe.bmp   (3,145,782 bytes)
  • 2017-05-16-Jaff-ransomware-ReadMe.html   (1,431 bytes)
  • 2017-05-16-Jaff-ransomware-ReadMe.txt   (482 bytes)
  • 2017-05-16-Jaff-ransomware-galaperidol8.exe   (147456 bytes)
  • 2017-05-16-jaff-malspam-133459-UTC.eml   (71,787 bytes)
  • GUMHSZUM.docm   (55,176 bytes)
  • HBTEJ.docm   (55,154 bytes)
  • HSOTN2JI.docm   (55,170 bytes)
  • LNJ9DNIJ.docm   (55,187 bytes)
  • U4HKZVPRL.docm   (55,175 bytes)
  • UCER2Q.docm   (55,134 bytes)
  • UTTNNVW6V.docm   (55,166 bytes)
  • VEZLGKVC.docm   (55,155 bytes)

 

EMAIL


Shown above:  An example of the emails.

 

12 EMAIL EXAMPLES:

READ: DATE/TIME -- SUBJECT -- ATTACHMENT NAME -- SENDING ADDRESS (SPOOFED)

 

MALWARE


Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 

SHA256 HASHES FOR THE ATTACHMENTS:

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

JAFF RANSOMWARE SAMPLE:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

 


Traffic from the infection filtered in Wireshark.

 


HTTP request for the Jaff ransomware.

 


Post-infection traffic from the infected Windows host.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Click here to return to the main page.