2017-05-25 - MALSPAM PUSHING JAFF RANSOMWARE FROM WORD DOCS IN PDF ATTACHMENTS

ASSOCIATED FILES:

• Zip archive of the pcap:  2017-05-25-Jaff-ransomware-malspam-traffic.pcap.zip   172 kB (172,168 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-25-Jaff-ransomware-malspam-tracker.csv.zip   0.8 kB (807 bytes)
• Zip archive of the emails, malware, and artifacts:  2017-05-25-Jaff-ransomware-emails-and-artifacts.zip   856 kB (855,952 bytes)

NOTES:

• More information on this campaign can be found at: https://isc.sans.edu/forums/diary/Jaff+ransomware+gets+a+makeover/22446/

 

EMAIL

Shown above:  An example of the emails.

 

4 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

• 2017-05-25 12:28:25 UTC -- donotreply@corepartners.co.uk -- Receipt_74332 -- 74332.pdf
• 2017-05-25 12:35:12 UTC -- donotreply@aero-media.co.uk -- Receipt#4163 -- 4163.pdf
• 2017-05-25 12:56:43 UTC -- donotreply@cukierman.com.br -- Payment 2317 -- 2317.pdf
• 2017-05-25 17:56:09 UTC -- donotreply@acmodels.worldonline.co.uk -- Receipt#4022 -- 4022.pdf

 

MALWARE

Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 

Shown above:  No marks today in the bottom half of the images in these Word documents.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

• 0237ae2520a441751b224d56aa776ba3758d07073b5164c5174ea2e4990f8462 - 4163.pdf
• 0d33a0f086710c812794dc20c6057d422c74c582b6bb737b3c3ade0fd369c801 - 2317.pdf
• 454d5ec8cac7915ab1b02852007d28a65a5076fbc28e5b6ffbb6bca290596a9e - 4022.pdf
• 4f332611fe30a155fcd73aff87135035436196acbb8ccf219efdc8a3c3b7ae14 - 74332.pdf

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

• 549acec1f738a40d4097ba096ff2827bc76481b3f4dd73ef0fab437eb476be29 - U9P2HY9.doc
• 8abb70a36f99ee613f65535aeaaf28a3d0e79df7129110f4f9ef50833f664354 - NCVH2PL.doc
• 9383ade91f05af3f350831ac76ba218e42fc033964753e6db71c0fded5b0b832 - WXEVIR.doc
• c47090ad7c20f9cafee4e162985f6a2d8b60c4e3b3327d532e70a167b8a1a9e8 - W2X2PEW.doc

JAFF RANSOMWARE SAMPLE:

• SHA256 hash:  2cc1d8edc318e0e09aad6afbc48999980f8e39e54734bca4c1a95c7b5db39569
  File size:  217,088 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\bruhadson8.exe

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

• better57toiuydof.net - GET /af/TrfHn4
• blackstoneconsultants.com - GET /TrfHn4
• derossigroup.it - GET /TrfHn4
• dianagaertner.com - GET /TrfHn4
• hunter.cz - GET /TrfHn4
• youtoolgrabeertorse.org - GET /af/TrfHn4

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

• 34.225.214.20 port 80 dorobratiohdtyszxwk.com - GET /a5/
• rktazuzi7hbln7sy.onion - Tor domain for Jaff Decryptor (same as the last few times)

 

Traffic from the infection filtered in Wireshark.

 

HTTP request for the Jaff ransomware.

 

Post-infection traffic from the infected Windows host.

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Once again, here are the associated files:

• Zip archive of the pcap:  2017-05-25-Jaff-ransomware-malspam-traffic.pcap.zip   172 kB (172,168 bytes)
• Zip archive of the spreadsheet tracker:  2017-05-25-Jaff-ransomware-malspam-tracker.csv.zip   0.8 kB (807 bytes)
• Zip archive of the emails, malware, and artifacts:  2017-05-25-Jaff-ransomware-emails-and-artifacts.zip   856 kB (855,952 bytes)

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.