2017-05-22 - MALSPAM PUSHING JAFF RANSOMWARE FROM WORD DOCS IN PDF ATTACHMENTS
ASSOCIATED FILES:
- Zip archive of the pcap: 2017-05-22-Jaff-ransomware-malspam-traffic.pcap.zip 147 kB (147,275 bytes)
- Zip archive of the spreadsheet tracker: 2017-05-22-Jaff-ransomware-malspam-tracker.csv.zip 1.4kB (1,440 bytes)
- Zip archive of the emails, malware, and artifacts: 2017-05-22-Jaff-ransomware-emails-and-artifacts.zip 2.4 MB (2,422,748 bytes)
NOTES:
- More malspam pushing Jaff ransomware today...
- It's the same type of malspam we've seen before with PDF attachments --> embedded Word documents (with malicious macros) --> follow-up malware.
- Below are the blogs I've personally posted about it here at malware-traffic-analysis.net:
- 2017-04-19 - Dridex malspam with PDF attachments containing embedded Word docs
- 2017-04-21 - Dridex-style malspam pushes Locky ransomware instead
- 2017-05-11 - Jumping on the Jaff bandwagon
- 2017-05-15 - The Jaff ransomware train keeps on rollin'
- 2017-05-16 - More examples of malspam pushing Jaff ransomware
- 2017-05-22 - Malspam pushing Jaff ransomware (this blog post)
Shown above: An example of the emails.
12 EMAIL EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME
- 2017-05-22 13:34:31 UTC -- BARBARA HAZLETT <NoReply@hexilon.com> -- Copy of Invoice 50648967 -- 50648967.PDF
- 2017-05-22 13:42:35 UTC -- BARTON HENDON <NoReply@noriet.pl> -- Copy of Invoice 96259119 -- 96259119.PDF
- 2017-05-22 13:49:43 UTC -- JAVIER SALTER <NoReply@jmclutherie.com> -- Copy of Invoice 58159387 -- 58159387.PDF
- 2017-05-22 13:54:02 UTC -- IRMA CLARK <NoReply@emotionalclarity.co.uk> -- Copy of Invoice 14017976 -- 14017976.PDF
- 2017-05-22 14:09:25 UTC -- MONA HOUNDSOME <NoReply@MathFileFolderGames.com> -- Copy of Invoice 05346468 -- 05346468.PDF
- 2017-05-22 14:35:59 UTC -- MAVIS HOWARD <NoReply@tezziessignshop.com> -- Copy of Invoice 64647384 -- 64647384.PDF
- 2017-05-22 14:45:46 UTC -- ALANA MACALISTER <NoReply@elecomptrade.com> -- Copy of Invoice 21397165 -- 21397165.PDF
- 2017-05-22 14:54:29 UTC -- ERIKA OF ROUMANIA <NoReply@inetobchod.cz> -- Copy of Invoice 85354849 -- 85354849.PDF
- 2017-05-22 14:58:43 UTC -- 1DEANA MINTAS <NoReply@racesalinaspeedway.com> -- Copy of Invoice 93059018 -- 93059018.PDF
- 2017-05-22 15:29:14 UTC -- SHELLEY MARKHAM <NoReply@cancianpavimenti.it> -- Copy of Invoice 87325061 -- 87325061.PDF
- 2017-05-22 15:59:26 UTC -- Minnie Gerry <gerry.darwin7234@hzndj.com> -- Document_9483142 -- nm.pdf
- 2017-05-22 15:59:50 UTC -- Minnie <minnie.sye17@greenvalleyelks.org> -- PDF_9807 -- nm.pdf
MALWARE
Shown above: As usual, the PDF attachment contains an embedded Word document with malicious macros.
Shown above: Started noticing marks in the bottom half of the images in these Word documents.
SHA256 HASHES FOR THE PDF ATTACHMENTS:
- 10321320369049daf9e10a898d44d489c5c1eba376c4ee9144257e2285634aa8
- 11f02f894bd5773bf5a6b6da6336881d30f525f16bfc938c42d6e305de6b2f46
- 476d6c030f56b9727abd5da5322efb08063a50e6b71562fb40eb779b1d3689ff
- 4967779ed93e178ad3e5d895a434f4866f77ddc3df9e9f3c0c69d9c6419835d6
- 6df458c9e52d9b104f8419a5bdfe320730b07642af007972b0fa72200e4949ad
- 7b007efc9a703bbaeebd9bc443efb9f8c6300c3f1480a040a81a2120dc5c97cb
- 7cd7a975ac42b409d97161c5fb3e100552bc5c2eaeb6e196b45e2a55c5086b17
- 9e31d8584c3d281bb264e6cccd38eb25ec8d1b7a11af85b2e42c335a06c78bfd
- d36aa76aa38e01bdc5d1ce3c83bffb402e0b8e7ff5200e79ca700864ac9abdee
- e08a6331873d1aea6d6ec8178d550a56a98895fb268c430948af9bc1098a9762
- e1aab160d59b83a9b62dc2609c2d55b7f07387f4b84041c18efe068e05f9b9dd
SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:
- 2fe146a9b8857e4c8fb8feb41952ec58c7bfc2c4c8fba2ac3c8bce28ce8bd468 - DLYX3.docm
- 43c96848e38431c5b9d90622808733cfe011e6b1a04b0c8f5e4e50a205ea95f9 - LOASWA.docm
- 5406916f81e8c20f61d0ff8f3242642d6d04ffb0c0c2d351bfd166aa3b62a44b - VWJEPFUGN.docm
- 56db9d583df62c240576b372e0ddfaadd8adb2e40d0af974d8b7cd33bc06443a - VNNCTVG.docm
- 8f04b9cd61543f8211285cd72f3a73d55cc2035da5e9abd44ec82f6a6b820ba6 - XJ3ZKWN.docm
- a358fb67469ea758d100fe42423b6b8c1085b47efa701e441fc20af11dc9d307 - BMUC3LI.docm
- a5563ae47b4aefdc8ce88dc82bd920446abdd7bcdf9c0c0196ee534aeebd2c5b - HMFQD7F.docm
- b657ee84e4358187091ae49dbecade191418624d0ec1958524fc9d2740b0d623 - WBLYJOFBR.docm
- cbd9fc0ee67a1edd2511773cb013d2db55f4f42c15b1fe37b417bf096ca7f029 - HC5TMRFS.docm
- cc18fd9d51b01cd3dc5f6a07403a933baa8ec648e0b65835bf10a8efdc583217 - LXC9UU.docm
- f3a3299f3ff1e51b5d52c99c78df7a6a585c1a2686a8468a3dfacde9a6fe6b4e - SOBFSGAUV.docm
JAFF RANSOMWARE SAMPLE:
- SHA256 hash: 3105bf7916ab2e8bdf32f9a4f798c358b4d18da11bcc16f8f063c4b9c200f8b4
File size: 184,320 bytes
File location: C:\Users\[username]\AppData\Local\Temp\buzinat8.exe
TRAFFIC
URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:
- brotexxshferrogd.net - GET /af/jhg6fgh
- datadunyasi.com - GET /jhg6fgh
- dewatch.de - GET /jhg6fgh
- electua.org - GET /jhg6fgh
- essensworld.cz - GET /jhg6fgh
- everstruct.com.au - GET /jhg6fgh
- f1toh1.com - GET /jhg6fgh
- herrossoidffr6644qa.top - GET /af/jhg6fgh
- joesrv.com - GET /jhg6fgh
- knowyourmarketing.com - GET /jhg6fgh
- pattumalamatha.com - GET /jhg6fgh
- primary-ls.ru - GET /jhg6fgh
- tayangfood.com - GET /jhg6fgh
- tipografia.by - GET /jhg6fgh
- way2lab.com - GET /jhg6fg
JAFF RANSOMWARE POST-INFECTION TRAFFIC:
- 217.29.63.199 port 80 trollitrancessions.net - GET /a5/
- rktazuzi7hbln7sy.onion - Tor domain for Jaff Decryptor (same as the last few times)
Traffic from the infection filtered in Wireshark.
HTTP request for the Jaff ransomware.
Post-infection traffic from the infected Windows host.
IMAGES
Shown above: Desktop of an infected Windows host.
Shown above: Going to the Jaff Decryptor.
FINAL NOTES
Once again, here are the associated files:
- Zip archive of the pcap: 2017-05-22-Jaff-ransomware-malspam-traffic.pcap.zip 147 kB (147,275 bytes)
- Zip archive of the spreadsheet tracker: 2017-05-22-Jaff-ransomware-malspam-tracker.csv.zip 1.4kB (1,440 bytes)
- Zip archive of the emails, malware, and artifacts: 2017-05-22-Jaff-ransomware-emails-and-artifacts.zip 2.4 MB (2,422,748 bytes)
ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.
Click here to return to the main page.