{"id":1107,"date":"2024-08-29T02:02:33","date_gmt":"2024-08-29T02:02:33","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=1107"},"modified":"2025-07-28T13:37:56","modified_gmt":"2025-07-28T13:37:56","slug":"jaff-ransomware-one-more-blossom-in-2017s-ransomware-spring","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/jaff-ransomware-one-more-blossom-in-2017s-ransomware-spring\/","title":{"rendered":"JAFF Ransomware \u2013 one more blossom in \u2018Ransomware Spring\u2019"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img fetchpriority=\"high\" decoding=\"async\" width=\"424\" height=\"318\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring_featured-image.jpg\" alt=\"\" class=\"wp-image-1115\" style=\"width:560px;height:auto\"\/><\/figure>\n<\/div>\n\n\n<p>Jaff ransomware was first discovered around spring of 2017, but it was largely neglected by the security community as that was the same time that WannaCry was the lead story covered by the press. Since then Jaff ransomware has lurked in the shadows while infecting machines worldwide. In this LMNTRIX Labs analysis, we will look into some of the common ransomware techniques used by this malware, and how it represents the ransomware\u2019s infection routine in general.<\/p>\n\n\n\n<p>Jaff Ransomware is another. It first appeared on May 11, 2017 \u2013 one day before WC. Since then, we have seen its appearance steadily increase, reaching a peak on May 22, 2017. As illustrated in the graphic below.<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-1 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring-image1.png\" alt=\"\"\/><\/figure>\n<\/figure>\n\n\n\n<p>Our sample is based on the Malspam Campaign targeting our global network of customers.<\/p>\n\n\n\n<p><strong>Delivery:-<\/strong><\/p>\n\n\n\n<p>There\u2019s no points for creativity here so I won\u2019t dwell on the delivery method too long. This Jaff ransomware campaign is using MalSpam with a malicious attachment.&nbsp;<\/p>\n\n\n\n<p>Our samples show the chosen subject line as \u201cCopy of Invoice\u201d followed by, \u201cThe sender email address is spoofed\u201d.&nbsp;<\/p>\n\n\n\n<p>An example of the spoofed emails used to target our clients is listed below:-&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring-image2.png\" alt=\"\"\/><\/figure>\n\n\n\n<p><strong>Dropper Analysis:-<\/strong><\/p>\n\n\n\n<p>This analysis is of a PDF attachment:<\/p>\n\n\n\n<p>Filename: 17897740.PDF<\/p>\n\n\n\n<p>MD5: e2b9ffb93c982e05238a30af016a2eed<\/p>\n\n\n\n<p>A list of malicious embedded objects were trigged upon execution:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-gallery has-nested-images columns-default is-cropped wp-block-gallery-2 is-layout-flex wp-block-gallery-is-layout-flex\">\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring-image3.png\" alt=\"\"\/><\/figure>\n<\/figure>\n\n\n\n<p>In the above sample, the combination of automatic actions and embedded JavaScript is an immediate red flag.&nbsp;<\/p>\n\n\n\n<p>Upon execution, the file\u2019s primary drop is a macro file named \u2019QDLCPQkk.docm\u2019. This file has been hardcoded with a number of Command and Control (C&amp;C) domains which download an encrypted text file.&nbsp;<\/p>\n\n\n\n<p>Below is a list of (C&amp;C) URLs found on the macro.<\/p>\n\n\n\n<p><strong>Indicator of Compromise:-<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring-image4.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>Once downloaded, the encrypted file is being converted to the Windows PE executable. In the recent campaigns, we have identified the following Windows PE file after conversion.<br><br>Filename: buzinat8.exe<br><br>Md5: 132d56f533f3a074b441cebff98e7742<br><br>This is the original ransomware payload that injects number of \u201c.dll\u201d files, making source API call to \u2018\\ThemeApiport\u201d. A DNS request follows, in turn making a HTTP\/GET request to the following domain:-<br><br><strong>trollitrancessions.net &nbsp; &nbsp; &nbsp;IP address: 217.29.63.199<\/strong><br><br>Now is the Windows Directory\u2019s turn::-<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\DtcInstall.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\HomePremium.xml.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\IE10_main.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\IE11_main.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\PFRO.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\setupact.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\setuperr.log.jaff\u201d<br><br>\u201cbuzinat8.exe\u201d touched file \u201c%WINDIR%\\Starter.xml.jaff\u201d<\/p>\n\n\n\n<p>A number of files are encrypted with \u201c.Jaff\u201d extensions, ultimately revealing the below ransom message on the listed Onion URLs.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"https:\/\/lmntrix.com\/blog\/wp-content\/uploads\/2024\/08\/jaff-rsware-blossom-spring-image5.png\" alt=\"\"\/><\/figure>\n\n\n\n<p>It seems since March we\u2019ve witnessed a new ransomware iteration almost every month.&nbsp;<\/p>\n\n\n\n<p>These attacks are clearly successful. It is safe to assume these attacks will continue to increase in sophistication and scope, and that the next \u2018NHS\u2019 attack is around the corner.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Jaff ransomware was first discovered around spring of 2017, but it was largely neglected by the security community as that was the same time that WannaCry was the lead story covered by the press. Since then Jaff ransomware has lurked in the shadows while infecting machines worldwide. In this LMNTRIX Labs analysis, we will look into some of the common ransomware techniques used by this malware, and how it represents the ransomware\u2019s infection routine in general. Jaff Ransomware is another. It first appeared on May 11, 2017 \u2013 one day before WC. Since then, we have seen its appearance steadily increase, reaching a peak on May 22, 2017.<\/p>\n","protected":false},"author":1,"featured_media":1115,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-1107","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1107","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=1107"}],"version-history":[{"count":4,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1107\/revisions"}],"predecessor-version":[{"id":4086,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/1107\/revisions\/4086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/1115"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=1107"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=1107"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=1107"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}