2017-05-22 - MALSPAM PUSHING JAFF RANSOMWARE FROM WORD DOCS IN PDF ATTACHMENTS

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-05-22-Jaff-ransomware-malspam-traffic.pcap.zip   147 kB (147,275 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-22-Jaff-ransomware-malspam-tracker.csv.zip   1.4kB (1,440 bytes)
• Zip archive of the emails, malware, and artifacts:  2017-05-22-Jaff-ransomware-emails-and-artifacts.zip   2.4 MB (2,422,748 bytes)

NOTES:

• More malspam pushing Jaff ransomware today...
• It's the same type of malspam we've seen before with PDF attachments --> embedded Word documents (with malicious macros) --> follow-up malware.
• Below are the blogs I've personally posted about it here at malware-traffic-analysis.net:

• 2017-04-19 - Dridex malspam with PDF attachments containing embedded Word docs
• 2017-04-21 - Dridex-style malspam pushes Locky ransomware instead
• 2017-05-11 - Jumping on the Jaff bandwagon
• 2017-05-15 - The Jaff ransomware train keeps on rollin'
• 2017-05-16 - More examples of malspam pushing Jaff ransomware
• 2017-05-22 - Malspam pushing Jaff ransomware (this blog post)

 

EMAIL

Shown above:  An example of the emails.

 

12 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

• 2017-05-22 13:34:31 UTC -- BARBARA HAZLETT <NoReply@hexilon.com> -- Copy of Invoice 50648967 -- 50648967.PDF
• 2017-05-22 13:42:35 UTC -- BARTON HENDON <NoReply@noriet.pl> -- Copy of Invoice 96259119 -- 96259119.PDF
• 2017-05-22 13:49:43 UTC -- JAVIER SALTER <NoReply@jmclutherie.com> -- Copy of Invoice 58159387 -- 58159387.PDF
• 2017-05-22 13:54:02 UTC -- IRMA CLARK <NoReply@emotionalclarity.co.uk> -- Copy of Invoice 14017976 -- 14017976.PDF
• 2017-05-22 14:09:25 UTC -- MONA HOUNDSOME <NoReply@MathFileFolderGames.com> -- Copy of Invoice 05346468 -- 05346468.PDF
• 2017-05-22 14:35:59 UTC -- MAVIS HOWARD <NoReply@tezziessignshop.com> -- Copy of Invoice 64647384 -- 64647384.PDF
• 2017-05-22 14:45:46 UTC -- ALANA MACALISTER <NoReply@elecomptrade.com> -- Copy of Invoice 21397165 -- 21397165.PDF
• 2017-05-22 14:54:29 UTC -- ERIKA OF ROUMANIA <NoReply@inetobchod.cz> -- Copy of Invoice 85354849 -- 85354849.PDF
• 2017-05-22 14:58:43 UTC -- 1DEANA MINTAS <NoReply@racesalinaspeedway.com> -- Copy of Invoice 93059018 -- 93059018.PDF
• 2017-05-22 15:29:14 UTC -- SHELLEY MARKHAM <NoReply@cancianpavimenti.it> -- Copy of Invoice 87325061 -- 87325061.PDF
• 2017-05-22 15:59:26 UTC -- Minnie Gerry <gerry.darwin7234@hzndj.com> -- Document_9483142 -- nm.pdf
• 2017-05-22 15:59:50 UTC -- Minnie <minnie.sye17@greenvalleyelks.org> -- PDF_9807 -- nm.pdf

 

MALWARE

Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 

Shown above:  Started noticing marks in the bottom half of the images in these Word documents.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

• 10321320369049daf9e10a898d44d489c5c1eba376c4ee9144257e2285634aa8
• 11f02f894bd5773bf5a6b6da6336881d30f525f16bfc938c42d6e305de6b2f46
• 476d6c030f56b9727abd5da5322efb08063a50e6b71562fb40eb779b1d3689ff
• 4967779ed93e178ad3e5d895a434f4866f77ddc3df9e9f3c0c69d9c6419835d6
• 6df458c9e52d9b104f8419a5bdfe320730b07642af007972b0fa72200e4949ad
• 7b007efc9a703bbaeebd9bc443efb9f8c6300c3f1480a040a81a2120dc5c97cb
• 7cd7a975ac42b409d97161c5fb3e100552bc5c2eaeb6e196b45e2a55c5086b17
• 9e31d8584c3d281bb264e6cccd38eb25ec8d1b7a11af85b2e42c335a06c78bfd
• d36aa76aa38e01bdc5d1ce3c83bffb402e0b8e7ff5200e79ca700864ac9abdee
• e08a6331873d1aea6d6ec8178d550a56a98895fb268c430948af9bc1098a9762
• e1aab160d59b83a9b62dc2609c2d55b7f07387f4b84041c18efe068e05f9b9dd

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

• 2fe146a9b8857e4c8fb8feb41952ec58c7bfc2c4c8fba2ac3c8bce28ce8bd468 - DLYX3.docm
• 43c96848e38431c5b9d90622808733cfe011e6b1a04b0c8f5e4e50a205ea95f9 - LOASWA.docm
• 5406916f81e8c20f61d0ff8f3242642d6d04ffb0c0c2d351bfd166aa3b62a44b - VWJEPFUGN.docm
• 56db9d583df62c240576b372e0ddfaadd8adb2e40d0af974d8b7cd33bc06443a - VNNCTVG.docm
• 8f04b9cd61543f8211285cd72f3a73d55cc2035da5e9abd44ec82f6a6b820ba6 - XJ3ZKWN.docm
• a358fb67469ea758d100fe42423b6b8c1085b47efa701e441fc20af11dc9d307 - BMUC3LI.docm
• a5563ae47b4aefdc8ce88dc82bd920446abdd7bcdf9c0c0196ee534aeebd2c5b - HMFQD7F.docm
• b657ee84e4358187091ae49dbecade191418624d0ec1958524fc9d2740b0d623 - WBLYJOFBR.docm
• cbd9fc0ee67a1edd2511773cb013d2db55f4f42c15b1fe37b417bf096ca7f029 - HC5TMRFS.docm
• cc18fd9d51b01cd3dc5f6a07403a933baa8ec648e0b65835bf10a8efdc583217 - LXC9UU.docm
• f3a3299f3ff1e51b5d52c99c78df7a6a585c1a2686a8468a3dfacde9a6fe6b4e - SOBFSGAUV.docm

JAFF RANSOMWARE SAMPLE:

• SHA256 hash:  3105bf7916ab2e8bdf32f9a4f798c358b4d18da11bcc16f8f063c4b9c200f8b4
  File size:  184,320 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\buzinat8.exe

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

• brotexxshferrogd.net - GET /af/jhg6fgh
• datadunyasi.com - GET /jhg6fgh
• dewatch.de - GET /jhg6fgh
• electua.org - GET /jhg6fgh
• essensworld.cz - GET /jhg6fgh
• everstruct.com.au - GET /jhg6fgh
• f1toh1.com - GET /jhg6fgh
• herrossoidffr6644qa.top - GET /af/jhg6fgh
• joesrv.com - GET /jhg6fgh
• knowyourmarketing.com - GET /jhg6fgh
• pattumalamatha.com - GET /jhg6fgh
• primary-ls.ru - GET /jhg6fgh
• tayangfood.com - GET /jhg6fgh
• tipografia.by - GET /jhg6fgh
• way2lab.com - GET /jhg6fg

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

• 217.29.63.199 port 80 trollitrancessions.net - GET /a5/
• rktazuzi7hbln7sy.onion - Tor domain for Jaff Decryptor (same as the last few times)

 

Traffic from the infection filtered in Wireshark.

 

HTTP request for the Jaff ransomware.

 

Post-infection traffic from the infected Windows host.

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-05-22-Jaff-ransomware-malspam-traffic.pcap.zip   147 kB (147,275 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-22-Jaff-ransomware-malspam-tracker.csv.zip   1.4kB (1,440 bytes)
• Zip archive of the emails, malware, and artifacts:  2017-05-22-Jaff-ransomware-emails-and-artifacts.zip   2.4 MB (2,422,748 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.