2017-06-13 - MALSPAM PUSHING JAFF RANSOMWARE FROM .WSF FILES

ASSOCIATED FILES:

 

SOME TWEETS OR BLOG POSTS ABOUT TODAY'S #JAFF #RANSOMWARE MALSPAM:

 

EMAILS


Shown above:  An example of the emails.

 

10 EXAMPLES:

READ: DATE/TIME -- SENDING ADDRESS (SPOOFED) -- SUBJECT -- ATTACHMENT NAME -- ZIP IN THE ZIP -- EXTRACTED .WSF FILE

 

MALWARE


Shown above:  An example of the malware attached to the malspam.

 

SHA256 HASHES FOR THE ZIP ATTACHMENTS:

 

SHA256 HASHES FOR THE EXTRACTED .WSF FILES:

 

RANSOMWARE RETRIEVED FROM INFECTED HOST:

 

TRAFFIC

URLS FROM THE .WSF FILES TO DOWNLOAD JAFF RANSOMWARE:

 

JAFF RANSOMWARE POST-INFECTION TRAFFIC:

 


Shown above:  Traffic from the infection filtered in Wireshark.

 


Shown above:  HTTP request for the Jaff ransomware.

 


Shown above:  Post-infection traffic from the infected Windows host.

 

IMAGES


Shown above:  Desktop of an infected Windows host.

 


Shown above:  Going to the Jaff Decryptor.

 

FINAL NOTES

Once again, here are the associated files:

ZIP files are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.