2017-06-01 - JAFF RANSOMWARE INFECTION

NOTICE:

• The zip archives on this page have been updated, and they now use the new password scheme.  For the new password, see the "about" page of this website.

ASSOCIATED FILES:

• 2017-06-01-Jaff-ransomware-infection-traffic.pcap.zip   213.4 kB (213,391 bytes)
• 2017-06-01-Jaff-ransomware-malspam-tracker.csv.zip   0.8 kB (837 bytes)
• 2017-06-01-Jaff-ransomware-emails-and-malware.zip   823.0 kB (823,019 bytes)

NOTES:

• More information on this campaign can be found at: https://isc.sans.edu/forums/diary/Jaff+ransomware+gets+a+makeover/22446/

 

EMAIL

Shown above:  An example of the emails.

 

4 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT

• 2017-06-01 20:33:42 UTC -- "Lorene" <Lorene.1011@[recipient's email domain]> -- 35418461.pdf
• 2017-06-01 20:36:36 UTC -- "Marcos" <Marcos.7077@[recipient's email domain]> -- 77586054.pdf
• 2017-06-01 20:39:17 UTC -- "Ana" <Ana.0770@[recipient's email domain]> -- 79443215.pdf
• 2017-06-01 21:04:17 UTC -- "Jami" <Jami.3269@[recipient's email domain]> -- 41021119.pdf

 

MALWARE

Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 

Shown above:  No marks today in the bottom half of the images in these Word documents.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

• 2ac01c6385135cc695abdf4e9e34d7618a7e0b81285e1f3123df54a9572982fd - 79443215.pdf
• 753550a1aa18b506693af9e1dd3af81de174cd88e820a7c87e9a8474456d3deb - 77586054.pdf
• 7cf89ac46a7bfcb8657c8b7bfa9f39c5396ec62ef9e86416f4780138c72e9040 - 41021119.pdf
• 81ef38b0fb7c395c05f593847074021743b4b2a4b1b45478e25cf64194a67aef - 35418461.pdf

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

• 5db77f4e40f002917e99670f23976d883e67b17cffbba0b5801328b6c49c81f8 - YLRZLH.doc
• 830de9a72c138440482d0b7049f8d1a4de4906574043e721cd7d1487f2de2100 - XKDQK1N.doc
• 990ec28dd5d11e294910e2ed1e7bae6cc57272af402d6bf7bd3db9fd5dc89c3a - FXCHG1Y.doc
• b4304a0346bae39f2e158d2ad404f8b45aba2640fd903b26c5d6ca07ea9611ff - YVQEG23K.doc

JAFF RANSOMWARE SAMPLE:

• SHA256 hash:  824901dd0b1660f00c3406cb888118c8a10f66e3258b5020f7ea289434618b13
  File size:  251,904 bytes
  File location:  C:\Users\[username]\AppData\Local\Temp\bruhadson8.exe

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

• dsopro[.]com - GET /7rvmnb
• fabriquekorea[.]com - GET /7rvmnb
• katoconsulting[.]ro - GET /7rvmnb
• newserniggrofg[.]net - GET /af/7rvmnb
• praktikum-marketing[.]de - GET /7rvmnb
• resevesssetornument[.]com - GET /af/7rvmnb
• tasfirin-ustasi[.]net - GET /7rvmnb
• theexcelconsultant[.]com - GET /7rvmnb

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

• 5.101.66[.]85 port 80 whoisfoxxrobiouy[.]net - GET /a5/
• rktazuzi7hbln7sy[.]onion - Tor domain for Jaff Decryptor (same as the last few times)

 

Shown above:  Traffic from the infection filtered in Wireshark.

 

Shown above:  HTTP request for the Jaff ransomware.

 

Shown above:  Post-infection traffic from the infected Windows host.

 

IMAGES

Shown above:  Desktop of an infected Windows host.

 

Shown above:  Going to the Jaff Decryptor.

 

Click here to return to the main page.