2017-05-25 - MALSPAM PUSHING JAFF RANSOMWARE FROM WORD DOCS IN PDF ATTACHMENTS

ASSOCIATED FILES:

NOTES:

 

EMAIL


Shown above:  An example of the emails.

 

4 EMAIL EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME

 

MALWARE


Shown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.

 


Shown above:  No marks today in the bottom half of the images in these Word documents.

 

SHA256 HASHES FOR THE PDF ATTACHMENTS:

SHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:

JAFF RANSOMWARE SAMPLE:

 

TRAFFIC

URLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

 


Traffic from the infection filtered in Wireshark.

 


HTTP request for the Jaff ransomware.

 


Post-infection traffic from the infected Windows host.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.