2017-06-06 - JAFF RANSOMWARE INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-06-Jaff-ransomware-infection-traffic.pcap.zip 157.8 kB (156,795 bytes)
- 2017-06-06-Jaff-ransomware-malspam-tracker.csv.zip 1.3 kB (1,280 bytes)
- 2017-06-06-Jaff-ransomware-emails-and-malware.zip 1.7 MB (1,686,375 bytes)
SOME TWITTER ACCOUNTS THAT TWEETED ABOUT TODAY'S #JAFF #RANSOMWARE MALSPAM:
- @coldshell (link)
- @_operations6_ (link, link)
- @siri_urz (link)
- @tmmalanalyst (link)
EMAILS
10 EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME
- 2017-06-06 13:30:25 UTC -- "Allyson fairlie" <Allyson@laurastempel[.]com> -- Order -- MX-2310U_20170606_180025.pdf
- 2017-06-06 13:43:59 UTC -- "James milson" <James@sciontario[.]org> -- Order -- MX-2310U_20170606_204359.pdf
- 2017-06-06 13:44:14 UTC -- "Kasey connell" <Kasey@leemontessori[.]org> -- Order -- MX-2310U_20170606_191414.pdf
- 2017-06-06 13:49:11 UTC -- "Wilbur mirfield" <Wilbur@angeltoursrome[.]com> -- Order -- MX-2310U_20170606_154911.pdf
- 2017-06-06 13:53:53 UTC -- "Efren jess" <Efren@computerdans[.]com> -- Order -- MX-2310U_20170606_192353.pdf
- 2017-06-06 13:54:12 UTC -- "Chester charlton" <Chester@tttimes[.]com> -- Order -- MX-2310U_20170606_182412.pdf
- 2017-06-06 13:58:25 UTC -- "Willis franks" <Willis@maleahjacobs[.]com> -- Order -- MX-2310U_20170606_105825.pdf
- 2017-06-06 13:58:53 UTC -- "Harriett fulcher" <Harriett@murnow[.]com> -- Order -- MX-2310U_20170606_105853.pdf
- 2017-06-06 13:59:13 UTC -- "Val greg" <Val@partidopatriota[.]com> -- Order -- MX-2310U_20170606_205913.pdf
- 2017-06-06 13:59:16 UTC -- "Juliana massey" <Juliana@thetextileprintroom[.]org> -- Order -- MX-2310U_20170606_105916.pdf
MALWARE
SHA256 HASHES FOR THE PDF ATTACHMENTS:
- 3d42c848fca91239bbf1e922943c6466aa44be43ebf7ca0ebcab59bb2e27eb38
- 49ac12934894982da7654a10e8d5cc3f5df500f7bde58481cce63f8b1ce5d969
- 4e781c648bb0aa0b1d41b61932d4935b3b5d0c9473d13a1b6a1cf4d8ff85e14a
- 5be7c72e40d26e2df89d3aa0d590bb5af51248e4cab27dde444dec4d1e76364c
- 8db8b32eaca86182497b83614e15c0693ed6a4d42443e0cdb779c5d6035633f4
- b6727793ddc9c4ac6baf600834b38b54de23628b3bec631cfb6705c6fecabf2e
- c8fb245c25e7091489f26c538658637f9bfb82a5434282690aebe99015b42070
- f8a75a98f671644d6ee626a8920b41e4843f018b479ec82a090d01a8986b70d5
SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:
- 1b5882d4a1feaa522ebbf056b5e25885511a979204f570bd54853d8f343ae6e9
- 308c2b5fa10c32adbfc4d878b864a9daefbdca679ad5b2016a311476caea0e9a
- 48c89d083f6a73cf48b6c345e1ff20671a944e9905d95a50f8aa865e74e175c1
- 691f30943872f5a1037d774942f4e41141bdd3f12c5b78d3dc7bdf9f0471a349
- 813d2d846de303fd5231b43a69102c54936d8e4649aa25263d6287faac806fd7
- a57c3a2c291048a7b8968f81fb24aeb91f6c50130665389115ea9abc0506180b
- e77f5822dfaedae8a44ff1f77c5f074c6fb4e6492d8a7debcddb1629bcd02323
RANSOMWARE RETRIEVED FROM INFECTED HOST:
- SHA256 hash: 3377cbe4f2618e65f778d029e654a4cf07537c6cfb6b87c668ba2882d9bb4b44
File size: 233,472 bytes
File location: C:\User\[username]\AppData\Local\Temp\miniramon8.exe
File description: Jaff ransomware
TRAFFIC
URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:
- 10minutesto1[.]net - GET /jt7677g6
- cafe-bg[.]com - GET /jt7677g6
- community-gaming[.]de - GET /jt7677g6
- cor-huizer[.]nl - GET /jt7677g6
- essentialnulidtro[.]com - GET /af/jt7677g6
- lcpinternational[.]fr - GET /jt7677g6
- luxurious-ss[.]com - GET /jt7677g6
- makh[.]ch - GET /jt7677g6
- myinti[.]com - GET /jt7677g6
- mymobimarketing[.]com - GET /jt7677g6
- oneby1[.]jp - GET /jt7677g6
- seoulhome[.]net - GET /jt7677g6
- sextoygay[.]be - GET /jt7677g6
- squidincdirect[.]com[.]au - GET /jt7677g6
- studyonazar[.]com - GET /jt7677g6
- supplementsandfitness[.]com - GET /jt7677g6
- zechsal[.]pl - GET /jt7677g6
JAFF RANSOMWARE POST-INFECTION TRAFFIC:
- 198.105.244[.]228 port 80 whoisfoxxrobiouy[.]net - GET /a5/ [same domain as last time on 2017-06-01, but different IP address]
- rktazuzi7hbln7sy[.]onion - Tor domain for Jaff Decryptor [same as the last few times]
Click here to return to the main page.