2017-05-15 - THE JAFF RANSOMWARE TRAIN KEEPS ON ROLLIN'
ASSOCIATED FILES:
- ZIP archive of the pcap: 2017-05-15-jaff-ransomware-traffic.pcap.zip 150 kB (150,210 bytes)
- 2017-05-15-jaff-ransomware-traffic.pcap (158,549 bytes)
- ZIP archive of the malware: 2017-05-15-Jaff-ransomware-malspam-artifacts.zip 314 kB (314,436 bytes)
- 2017-05-15-Jaff-ransomware-ReadMe.bmp (3,145,782 bytes)
- 2017-05-15-Jaff-ransomware-ReadMe.html (1,431 bytes)
- 2017-05-15-Jaff-ransomware-ReadMe.txt (482 bytes)
- 2017-05-15-Jaff-ransomware-drefudre20.exe (176,128 bytes)
- 2017-05-15-jaff-decryptor-index.css (2,661 bytes)
- 2017-05-15-jaff-decryptor.html (5091 bytes)
- 2017-05-15-malspam-103539-UTC.eml (72,864 bytes)
- HHU67.docm (55,129 bytes)
NOTES:
- More malspam pushing Jaff ransomware this morning...
- It's the same type of malspam we've seen before with PDF attachments --> embedded Word documents (with malicious macros) --> follow-up malware.
- Below are the blogs I've personally posted about it here at malware-traffic-analysis.net:
- 2017-04-19 - Dridex malspam with PDF attachments containing embedded Word docs
- 2017-04-21 - Dridex-style malspam pushes Locky ransomware instead
- 2017-05-11 - Jumping on the Jaff bandwagon
- 2017-05-15 - The Jaff ransomware train keeps on rollin' (today's blog post)
Shown above: An example of the emails.
EMAIL HEADERS:
- Date/Time: Monday 2017-05-15 at 10:35 UTC
- From: KATHIE FARRIMOND <kathiefarrimond@ebcfactors.co.uk>
- Subject: 05_Invoice_3470
- Attachment name: 001_8378.pdf
MALWARE
Shown above: The PDF attachment contains an embedded Word document with malicious macros.
ATTACHMENT:
- SHA256 hash: 5968b7a89e5d1db8447b5343f20362ab713551a94226fb905fff7a067c770c79
File size: 53,257 bytes
File name: 001_8378.pdf
EMBEDDED WORD DOCUMENT:
- SHA256 hash: a5008680100ec970009eb68b5e8bb98af5fb58aef5b8f043e1517390245e0edd
File size: 55,129 bytes
File name: HHU67.docm
JAFF RANSOMWARE:
- SHA256 hash: 41bce3e382cee06aa65fbee15fd38f7187fb090d5da78d868f57c84197689287
File size: 176,128
File location: C:\Users\[username]\AppData\Local\Temp\drefudre20.exe
TRAFFIC
URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:
- 203.170.192.184 port 80 - urachart.com - GET /hHGFjd
- 185.2.31.189 port 80 - fotografikum.com - GET /hHGFjd
- 185.109.146.224 port 80 - 5hdnnd74fffrottd.com - GET /af/hHGFjd
- 185.109.146.224 port 80 - byydei74fg43ff4f.net - GET /af/hHGFjd
- 185.109.146.224 port 80 - sjffonrvcik45bd.info - GET /af/hHGFjd
JAFF RANSOMWARE POST-INFECTION TRAFFIC:
- 47.91.107.213 port 80 h552terriddows.com - GET /a5/
- rktazuzi7hbln7sy.onion - Tor domain for Jaff Decryptor (same as last week)
Traffic from the infection filtered in Wireshark.
HTTP request for the Jaff ransomware.
Post-infection traffic from the infected Windows host.
IMAGES
Shown above: Desktop of an infected Windows host.
Shown above: Going to the Jaff Decryptor.
FINAL NOTES
Once again, here are the associated files:
- ZIP archive of the pcap: 2017-05-15-jaff-ransomware-traffic.pcap.zip 150 kB (150,210 bytes)
- ZIP archive of the malware: 2017-05-15-Jaff-ransomware-malspam-artifacts.zip 314 kB (314,436 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.