2017-06-13 - JAFF RANSOMWARE INFECTION
NOTICE:
- The zip archives on this page have been updated, and they now use the new password scheme. For the new password, see the "about" page of this website.
ASSOCIATED FILES:
- 2017-06-13-Jaff-ransomware-infection-traffic.pcap.zip 15.6 kB (15,642 bytes)
- 2017-06-13-malspam-tracker-for-Jaff-ransomware.csv.zip 1.3 kB (1,266 bytes)
- 2017-06-13-Jaff-ransomware-emails-and-malware.zip 474.4 kB (474,438 bytes)
SOME TWEETS OR BLOG POSTS ABOUT TODAY'S #JAFF #RANSOMWARE MALSPAM:
- @peterkruse: Several active #Jaff #Ransomware C&C servers now hosted at: AS132203, Singapore Tencent Cloud Computing (beijing) Co. Ltd. (link)
- @tmmalanalyst: Jun-13,2017(JST). MalSpam attached ZIP file -> zip -> wsf. Infected #Jaff #ransomware. (link)
EMAILS
Shown above: An example of the emails.
10 EXAMPLES:
READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME -- ZIP IN THE ZIP -- EXTRACTED .WSF FILE
- 2017-06-13 09:18:29 UTC -- NoReplyMailbox@geometric-design[.]com -- Invoice PIS1314074 -- invoicepis1314074.zip -- JPS8FFO1.zip -- JPS8FFO1.wsf
- 2017-06-13 09:38:17 UTC -- NoReplyMailbox@najmi[.]de -- Invoice PIS6680000 -- invoicepis6680000.zip -- OOJVFMYO2.zip -- OOJVFMYO2.wsf
- 2017-06-13 10:52:21 UTC -- NoReplyMailbox@karimlounes[.]com -- Invoice PIS5416591 -- invoicepis5416591.zip -- AXQ4CXPA.zip -- AXQ4CXPA.wsf
- 2017-06-13 12:32:24 UTC -- NoReplyMailbox@proteralabs[.]com -- Invoice PIS2233669 -- invoicepis2233669.zip -- FTOZTGYDZ.zip -- FTOZTGYDZ.wsf
- 2017-06-13 13:11:16 UTC -- NoReplyMailbox@coljohnt[.]com -- Invoice PIS2511038 -- invoicepis2511038.zip -- N82QC77I.zip -- N82QC77I.wsf
- 2017-06-13 13:16:07 UTC -- NoReplyMailbox@atomacon[.]org -- Invoice PIS1695072 -- invoicepis1695072.zip -- OEOOWNGE.zip -- OEOOWNGE.wsf
- 2017-06-13 13:29:52 UTC -- NoReplyMailbox@spedders.worldonline[.]co[.]uk -- Invoice PIS0413254 -- invoicepis0413254.zip -- JODUBWOOW.zip -- JODUBWOOW.wsf
- 2017-06-13 14:30:29 UTC -- NoReplyMailbox@lidercontab[.]com -- Invoice PIS2436728 -- invoicepis2436728.zip -- MTSUQM4J.zip -- MTSUQM4J.wsf
- 2017-06-13 15:13:59 UTC -- NoReplyMailbox@tornadowristbands[.]com -- Invoice PIS9587975 -- invoicepis9587975.zip -- HF4YIDIIL.zip -- HF4YIDIIL.wsf
- 2017-06-13 15:22:53 UTC -- NoReplyMailbox@benjaminandbanks[.]com -- Invoice PIS8938690 -- invoicepis8938690.zip -- B9UHRNO5.zip -- B9UHRNO5.wsf
MALWARE
Shown above: An example of the malware attached to the malspam.
SHA256 HASHES FOR THE ZIP ATTACHMENTS:
- 6643ae22814b118da4af55b365d62ba5c032b66e9717cde499c4e578d6fe3aa7 - invoicepis0413254.zip
- 8be825e2a658d5c23bf434cf4b52fd6c7d6b8ff7184274622b4fd1178e72d738 - invoicepis1314074.zip
- b8fce962dea3d0f76f020bc89402b69df272ed81569bdd302ace4ff4a054e0ac - invoicepis1695072.zip
- 7f7423a76c055116f55a424fb5fa03069a63db3d06b764bba057bb9678e95a32 - invoicepis2233669.zip
- b808ab2a7be1c153fb3511c5dff97a9cd1c645628933c545edf91001af52bdfe - invoicepis2436728.zip
- 5bc0649ae27083ba74eddd3d9f98cd1d1733cb1c1a5a1790f0fa979c0604db38 - invoicepis2511038.zip
- 62ff866da9576e2b178f6385465c45f4773ce37fcae0c101865d71d1c4500ea3 - invoicepis5416591.zip
- 0daffeae3bba397f66565872c0a97f436f23deac3e5d1ee1eb76d67006e1956e - invoicepis6680000.zip
- 51d30e6b11a2a1b0e963644d50bb43fc4ba58e4f5864c0999a69ad7001256b28 - invoicepis8938690.zip
- ff788450fff963c894cdc4eb909e7b59a2a4896c325d44164ccc9acc93122c00 - invoicepis9587975.zip
SHA256 HASHES FOR THE EXTRACTED .WSF FILES:
- 78559cb2823bcc6652ce6d5b9b4049b8b3a1147373d310f820ce6a943d107f9b - AXQ4CXPA.wsf
- 88fedc4d8bae75ff479f279d32c347b9fc46db34aad8548322e8b343b5f1f36d - B9UHRNO5.wsf
- 00055a1a81ca4522d0c849843dd82482beb0c0a11e077eab92ce29500e699ab5 - FTOZTGYDZ.wsf
- cf8236b8f144ccb425d031d2cf00aaedba438718eccf878ddf52c23c56c8ae2a - HF4YIDIIL.wsf
- e6e83f833b75e15437611c0b3ba0ff074861f47641e9807b9fd80cfcedc535e0 - JODUBWOOW.wsf
- 3bca60bc39b2477fe678c5ae42d3d9b3e6a4c841005e513544f18d82b5808fdd - JPS8FFO1.wsf
- 67cf8484de51cc971cea3b83abc6a1faf4eee5bed13fd1278a6c94382be8027e - MTSUQM4J.wsf
- be22ebcc446ca3c537256f14ae114bf4e2e2a131e8bbc153d6605a0e089493a9 - N82QC77I.wsf
- 07e014544fa7c3f6553dfb8ad82e0c83c7bbab5f60558fa3f64a70ea0d7cc1f1 - OEOOWNGE.wsf
- 4d581ef9c463ab6496d340335cec683833794b2efb1edde70a3c63726bcd008c - OOJVFMYO2.wsf
RANSOMWARE RETRIEVED FROM INFECTED HOST:
- SHA256 hash: 001268d7fad7806705b3710ccc8cfffb2c2cfb830a273d7a0f87a5fa6422b9f5
File size: 174,592 bytes
File description: Windows EXE for Jaff ransomware
TRAFFIC
URLS FROM THE .WSF FILES TO DOWNLOAD JAFF RANSOMWARE:
- 16892[.]net - GET /984hvxd?[short string of characters]
- 78tguyc876wwirglmltm[.]net - GET /af/984hvxd?[short string of characters]
- aarontax[.]com - GET /984hvxd?[short string of characters]
- abyzon[.]com - GET /984hvxd?[short string of characters]
- careermag[.]in - GET /984hvxd?[short string of characters]
- ciiltire[.]com - GET /984hvxd?[short string of characters]
- cinema-strasbourg[.]com - GET /984hvxd?[short string of characters]
- e67tfgc4uybfbnfmd[.]org - GET /af/984hvxd?[short string of characters]
- makkahhaj[.]com - GET /984hvxd?[short string of characters]
- mseconsultant[.]com - GET /984hvxd?[short string of characters]
- oscarbenson[.]com - GET /984hvxd?[short string of characters]
- qiyuner[.]com - GET /984hvxd?[short string of characters]
- scjjh[.]cn - GET /984hvxd?[short string of characters]
- sock[.]lt - GET /984hvxd?[short string of characters]
- speedgrow[.]com - GET /984hvxd?[short string of characters]
- yes2malaysia[.]com - GET /984hvxd?[short string of characters]
- zabandan[.]com - GET /984hvxd?[short string of characters]
- zebtex[.]com - GET /984hvxd?[short string of characters]
JAFF RANSOMWARE POST-INFECTION TRAFFIC:
- 119.28.98.205 port 80 - hv7verjdhfbvdd44f[.]info - GET /a5/
- rktazuzi7hbln7sy[.]onion - Tor domain for Jaff Decryptor [same Decryptor domain since Jaff first appeared on 2017-05-11]
Shown above: Traffic from the infection filtered in Wireshark.
Shown above: HTTP request for the Jaff ransomware.
Shown above: Post-infection traffic from the infected Windows host.
IMAGES
Shown above: Desktop of an infected Windows host.
Shown above: Going to the Jaff Decryptor.
Click here to return to the main page.