2017-05-11 - JUMPING ON THE JAFF RANSOMWARE BANDWAGON

ASSOCIATED FILES:

Zip archive of the pcap(s): 2017-05-11-Jaff-rasomware-from-phinamco.com.pcap.zip 141 kB (140,603 bytes)

Zip archive of the spreadsheet tracker: 2017-05-11-Jaff-ransomware-malspam-tracker.csv.zip 1.9 kB (1,898 bytes)

Zip archive of the emails and malware: 2017-05-11-Jaff-ransomare-emails-and-artifacts.zip 3.9 MB (3,853,752 bytes)

NOTES:

Seems like everyone and their mother has posted information about the new Jaff ransomware that appeared today. I'm just jumping on the bandwagon.

It's the same type of malspam we've seen before with PDF attachments --> embedded Word documents (with malicious macros) --> follow-up malware.

Below are the blogs I've personally posted about it here at malware-traffic-analysis.net:

EMAILS



Shown above: Screenshot of spreadsheet tracker.



Shown above: Two examples of these emails.

DATES/TIMES:

Thursday 2017-05-11 as early as 11:17 UTC through at least 15:07 UTC

EXAMPLES OF SENDING ADDRESSESS (ALL SPOOFED):

From: Alfonzo <alfonzo.dadisman413@amyharrisphotos.com>

From: Andy <andy.markham3475@davidadambyrnes.com>

From: Bertie <bertie.kennan6057@layan.us>

From: Charmaine <charmaine.loud87@gazetadopantanal.com>

From: Essie <essie.potts417@ekoinfo.sk>

From: Frankie <frankie.cottingham84@artnieuws.nl>

From: Hyman <hyman.fenner0449@tahitivacations.co.nz>

From: Lorna <lorna.burnand592@usdairylab.com>

From: Marlin <marlin.lyman26@academyofdefensivedriving.org>

From: Marsha <marsha.waltham70@drama.ca>

From: May <may.dodshon719@catherinetrebble.com>

From: Mildred <mildred.nott23@photoklub-hinterthurgau.ch>

From: Nell <nell.hearne551@icookyoueat.com>

From: Pablo <pablo.depaoli950@filme-fasching.at>

From: Rigoberto <rigoberto.ridgway036@infosmith.ca>

From: Robert <robert.mouritsen155@qhbiocybernetics.com>

From: Robyn <robyn.plowman170@jarrodmac.com>

From: Staci <staci.tymm6395@schillingermusic.com>

From: Toney <toney.kenney4192@lumier.com>

From: Vera <vera.gutteridge200@denisbruyere.be>

EXAMPLES OF SUBJECT LINES:

Subject: Copy_0503747

Subject: Copy_0579

Subject: Copy_49974797

Subject: Copy_942925

Subject: Document_215823

Subject: Document_36405508

Subject: Document_3723485

Subject: Document_4538535

Subject: File_2267958

Subject: File_370319

Subject: File_47626490

Subject: File_8836444

Subject: PDF_57783

Subject: PDF_68239555

Subject: PDF_8231

Subject: PDF_9724363

Subject: Scan_15471085

Subject: Scan_28837148

Subject: Scan_29047111

Subject: Scan_7902

FILE NAME FOR ALL ATTACHMENTS:

nm.pdf [File attributes: PDF document, version 1.4]

MALWARE



Shown above: Opening the nm.pdf file provides a malicious Word document with macros.



Shown above: Macros from the embedded Word documents are designed to infect a Windows host with malware.

SHA256 HASHES OF PDF FILES ATTACHED TO THESE EMAILS:

0a265c366932405a3247508a1a1a65241681e9d698acf31c828f0b6c68a04be0 - nm.pdf

1100f0d5e11ef9177c6b45b58999f86a2f1451668721ae6b2e73135cf3e487c8 - nm.pdf

235b8bf934ba5a562a7f47e8f622092ef6492bab644eb9a0b63f1aa9cb685d84 - nm.pdf

3028117d9773d4f978abd6ac6d14f17593e69297efec757104c4098ea5ad1768 - nm.pdf

358a6decd42df41c0234e5f14f5ad572e4da50ee030b8a9569821f4ffb6c8cd3 - nm.pdf

372adf1cdf70c716da09c5b2aa2ab1f3d48a6e3d1a7a969eb847d6562e0e0a3b - nm.pdf

3b7cd88cf3acb5e617b5bfdaab43413e96147393dc6fae264a8ca361381344c9 - nm.pdf

3e4bd555d5eb34cf3b79d21ab7788c9cf3c6be3eccff48655c265e31dceaf599 - nm.pdf

47e81d1de081e4e435bdbdd0df2857055fffdf749ddf7c1bb1f2e0040241724f - nm.pdf

57bfe19f9615f026765825689cdc26725f4f24f23123bdcc35aeddbdc5274fc4 - nm.pdf

6c4c5a1500a014aba0b5a01193abe9dd22c960028fa77ab9f3f8a678ad42dd03 - nm.pdf

8a3070bf1c86dfa86650e717c2d466f62ff253f28797a42bff819ed17571cbb0 - nm.pdf

ac5c2c47c4cf28ee8336a51ed33eec40ef76b7990691f23eade0b240cd61c40b - nm.pdf

ad454b174bc2d2903fc3063da2c918daf9c2bb9ffa1e13f6db42ad82f549cefe - nm.pdf

b0f475e09e82891cbcd6c2a823000161191ea6d899f9d610f508ab26dee59584 - nm.pdf

c3cf407f5c6269d79aef3f2e8bcf296a325fa067aa1af3f44c6e53189f66e111 - nm.pdf

eb41eb3aa7d96ceebefa633cb519fae84ca66dd434cf3303576e9aff86a02f61 - nm.pdf

f712e08b8020c5a0615a0f128ea9a891d2d45deafe7446c11f9227bd77dd28b3 - nm.pdf

SHA256 HASHES OF MALICIOUS WORD DOCUMENTS EMBEDDED IN THE ABOVE PDF FILES:

1b33cc35011ddee5766342ba26f9964712f6531c6c057138890e36a58404d5b0 - OASOC.docm

20c7800aa15b5d378ff3b39e9c901dc68a12489a4a1800a6ec9b59f16ba1bafc - VRAQJFN.docm

219485c2dd60f9cb70a1c787802551f77e6cb1b421568372d425ffa49772fca8 - UG6F2EG.docm

29c027a3386083974b6dbf51d1e0c2e3f89b78c44bda350a543af4c5a813f456 - R5ZWWKW.docm

2efcffff5c144f8397da3df815f15145a0600a85a612ede9e0ae6846b7bf5388 - KJBXFNG.docm

4792532defb4431aa399f649a3e443a62f062e4a99458c7ee240c2ae5d6716f4 - DAM869G7.docm

517b9cb82b4d4e7e8af5ec96cc832bcd0ec6d1203bc8046c8e3d546e3b283e65 - NFSX8YGD.docm

59959df33f904f32046e4f79830f574862e8fe9edae75f88f91064bebb5f4d8c - UOX22.docm

59be1462a0d8fe2dcb88f6174e9d671bba7d8969a46dc5f566e006acec4df671 - YVFUI6ANI.docm

641b2ad3d345b97a8c92d152bb3f9b4b8a98af41ce3d1a9454fb804cce8f26dc - W7NXLMV.docm

6d31108908dc891f1c784831acfc69c5da65d982d8928da5ccfd0b15351aa3db - KUM1PQ.docm

6e7ff200d849d8594ddb72d4840daefa78d0d025f28d26c6c96f2eaccfba19ba - GCWJ9Z.docm

713e492aa212eb265de9dfc1d615dd57940aa3bde5293aef15165da027e28d3c - OWZGY.docm

7c550b82d112e065890a8e7efe862832b32cfeeb4f6a9ce85151525147a7cb9d - JXMDE8A.docm

9e441538b51c24f8f1e32411a52b58c1aaf6a591e96b5a17eebd3550da185baf - CAFZIVO.docm

aa576e4bd47c41c783a20b41920601bfe092dd10ec262917e50b363eb132f958 - KFIG8EHN.docm

b6c2f3466a76a56d0e0a373130e6f147fa1e11a0faa9f146d3418b4c477fc7ea - BMBU5E.docm

c20562703066886685e5980ebc9f94499f9a152e628777f15592e4092348b9e8 - XQHPYQ.docm

JAFF RANSOMWARE SAMPLE DOWNLOADED BY ONE OF THE WORD DOCUMENTS:

SHA256 hash: 1be07198c324c9732d4e2676945ec021eeacd78775aea2100f49ca0483d3f901

File size: 155,648 bytes

File location: C:\Users\[username]\AppData\Loca\Temp\pitupi20.exe

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

5hdnnd74fffrottd.com - GET /af/f87346b

- GET /af/f87346b babil117.com - GET /f87346b

- GET /f87346b boaevents.com - GET /f87346b

- GET /f87346b byydei74fg43ff4f.net - GET /af/f87346b

- GET /af/f87346b easysupport.us - GET /f87346b

- GET /f87346b edluke.com - GET /f87346b

- GET /f87346b julian-g.ro - GET /f87346b

- GET /f87346b phinamco.com - GET /f87346b

- GET /f87346b takanashi.jp - GET /f87346b

- GET /f87346b techno-kar.ru - GET /f87346b

- GET /f87346b tending.info - GET /f87346b

- GET /f87346b tiskr.com - GET /f87346b

- GET /f87346b trans-atm.com - GET /f87346b

- GET /f87346b trialinsider.com - GET /f87346b

- GET /f87346b vscard.net - GET /f87346b

- GET /f87346b wipersdirect.com - GET /f87346b

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

???? port 80 - fkksjobnn43.org - GET /a5/

- GET /a5/ rktazuzi7hbln7sy.onion - Tor domain for Jaff Decryptor



fkksjobnn43.org didn't resolve in DNS, so I edited the Windows hosts file to get an HTTP request.

IMAGES



Shown above: Desktop of an infected Windows host.



Shown above: Going to the Jaff Decryptor. Why is "jaff decryptor" in lower-case letters?



Shown above: Wonder what the exchange rate was when they calcuated the bitcoin amount for their ransom.

FINAL NOTES

Once again, here are the associated files:

Zip archive of the pcap(s): 2017-05-11-Jaff-rasomware-from-phinamco.com.pcap.zip 141 kB (140,603 bytes)

Zip archive of the spreadsheet tracker: 2017-05-11-Jaff-ransomware-malspam-tracker.csv.zip 1.9 kB (1,898 bytes)

Zip archive of the emails and malware: 2017-05-11-Jaff-ransomare-emails-and-artifacts.zip 3.9 MB (3,853,752 bytes)

ZIP files are password-protected with the standard password. If you don't know it, look at the "about" page of this website.

Click here to return to the main page.