Home / malware Ransom:Win32/Jaffrans
First posted on 16 June 2017.
Source: MicrosoftAliases :
Ransom:Win32/Jaffrans is also known as rojan-Ransom.Win32.Rakhni, Trojan-Ransom.Win32.Agent.iih, Trojan-Ransom.Win32.Autoit, Trojan-Ransom.Win32.Aura, Trojan-Ransom.AndroidOS.Pletor, Trojan-Ransom.Win32.Rotor, Trojan-Ransom.Win32.Lamer, Trojan-Ransom.Win32.Cryptokluchen, Trojan-Ransom.Win32.Democry, Trojan-Ransom.Win32.Bitman, Trojan-Ransom.Win32.Jaff.
Explanation :
Arrival
This ransomware is downloaded onto target computers by malicious documents in spammed email messages. The documents have malicious macro codes that download this ransomware from multiple server locations. These documents are embedded in .pdf files attached to email messages sent from the Necurs spam bot.
The email messages use subject lines like 'Invoice' and 'Order'. The following is a sample email that carries the malicious .pdf attachment:
When the .pdf attachment is opened, it triggers a prompt to open the embedded document with malicious macro codes:
If the document is opened, Microsoft Word issues the usual security prompts that contain macros that are potentially harmful.
If allowed to run, the macro codes download this ransomware. The malicious document is detected as TrojanDownloader:O97M/Donoff.
Installation
This ransomware persists in the memory throughout the duration of the file encryption routine, but removes itself afterwards.
Interestingly, this ransomware does not infect computers that have the language identifier "LANG_RUSSIAN". It terminates its process and deletes itself by running "cmd.exe /C del /Q /F".
Payload
Encrypts files
This ransomware encrypts files in fixed, removable, remote, and ramdisk drives using AES-256 and RSA key exchange with Windows Crypto APIs.
It searches for and encrypts the following file types, including files accessible in the local network:
.001
.002
.003
.004
.005
.006
.007
.008
.009
.010
.1cd
.3dm
.3ds
.3fr
.3g2
.3pr
.7z
.7ZIP
.aac
.ab4
.accdb
.accde
.accdt
.acd
.ach
.acr
.act
.adb
.adp
.ads
.agdl
.ai
.aif
.aiff
.ait
.al
.aoi
.apj
.arw
.as4
.asf
.asm
.asp.
.aspx
.asx
.avi
.awg
.back
.backup
.backupdb
.bak
.bank
.bay
.bdb
.bgt
.bik
.bin
.bkp
.blend
.bmp
.bpw
.c
.cad
.cbr
.cdf
.cdr
.cdr3
.cdr4
.cdr5
.cdr6
.cdrw
.cdx
.ce1
.ce2
.cer
.cfg
.cgm
.cib
.class
.cls
.cmt
.config
.contact
.cpi
.cpp
.cr2
.craw
.crt
.crw
.cs
.csh
.csl
.css
.csv
.dac
.dat
.db
.db_journal
.db3
.dbf
.dbx
.dc2
.dcr
.dcs
.ddd
.ddoc
.ddrw
.dds
.deb
.der
.design
.dgc
.dit
.djvu
.dng
.doc
.docm
.docx
.dot
.dotm
.dotx
.drf
.drw
.dsr
.dtd
.dwg
.dxb
.dxf
.dxg
.edb
.eml
.eps
.erbsql
.erd
.exf
.fdb
.ffd
.fff
.fh
.fhd
.fif
.fla
.flac
.flv
.flvv
.fpx
.fxg
.gif
.gray
.grey
.groups
.gry
.gz
.h
.hbk
.hdd
.hpp
.htm
.html
.ibank
.ibd
.ibz
.ico
.ics
.idf
.idx
.iff
.iif
.iiq
.incpas
.indd
.java
.jnt
.jpe
.jpeg
.jpg
.js
.kc2
.kdbx
.kdc
.key
.kpdx
.kwm
.laccdb
.lit
.log
.lua
.m
.m2ts
.m3u
.m4a
.m4p
.m4v
.mapimail
.max
.mbx
.md
.mdb
.mdc
.mdf
.mdi
.mef
.mfw
.mid
.mix
.mkv
.mlb
.mmw
.mny
.moneywell
.mos
.mov
.mp3
.mp4
.mpd
.MPEG
.mpg
.mrw.des
.msg
.nd
.ndd
.ndf
.nef
.nk
.nop
.nrw
.ns2
.ns3
.ns4
.nsd
.nsf
.nsg
.nsh
.nvram
.nwb
.nx2
.nxl
.nyf
.oab
.obd
.obj
.obt
.odb
.odc
.odf
.odg
.odm
.odp
.ods
.odt
.ogg
.oil
.ord
.ost
.otg
.oth
.otp
.ots
.ott
.ova
.p12
.p7b
.p7c
.pab
.pages
.par
.pas
.pat
.pcd
.pct
.pdb
.pdd
.pef
.pem
.pfx
.php
.pif
.pl
.plc
.plus_muhd
.png
.pot
.potm
.potx
.ppam
.pps
.ppsm
.ppsx
.ppt
.pptm
.pptx
.prf
.prn
.ps
.psafe3
.psd
.pspimage
.pst
.ptx
.pub
.pwm
.py
.qba
.qbb
.qbm
.qbr.myd
.qbw
.qbx
.qby
.qcow
.qcow2
.qed
.r3d
.raf
.rar
.rat
.raw
.rdb
.rm
.rpm
.rtf
.rvt
.rw2
.rwl
.rwz
.s3db
.safe
.sas7bdat
.sav
.save
.say
.sd0
.sda
.sdf
.sitx
.sldm
.sldx
.sql
.sqlite
.sqlite3
.sqlitedb
.sr
.srf
.srt
.srw
.st4
.st5
.st6
.st7
.st8
.stc
.std
.sti
.stl
.stm
.stw
.stx
.svg
.swf
.swm
.sxc
.sxd
.sxg
.sxi
.sxm
.sxw
.tar
.tar.gz
.tex
.tga
.thm
.tib
.tlg
.txt
.vbox
.vcf
.vdi
.veg
.vhd
.vhdx
.vib
.vmdk
.vmsd
.vmx
.vmxf
.vob
.vsc
.vsd
.wab
.wad
.wallet
.wav
.waw
.wb2
.wbk
.wda
.wma
.wmv
.wpd
.wps
.x11
.x3f
.xis
.xla
.xlam
.xlk
.xlm
.xls
.xlsb
.xlsm
.xlsx
.xlt
.xltm
.xltx
.xlw
.xml
.xmod
.ycbcra
.zip
.zipx
.zpf
This ransomware has several variants, each of which uses a unique file name extension and ransom note.
After encryption, this ransomware sets a new desktop wallpaper by dropping the following file:
\Rondo\WallpapeR.bmp (for example, c:\Documents and Settings\All Users\Application Data\Rondo\WallpapeR.bmp)
The wallpaper also slightly varies by variant, but one of the URLs they use points to the payment server, where a specified victim ID is entered to download a decryptor tool:
.jaff variant
This variant appends the filename extension .jaff to encrypted files.
It also creates the following files in each folder where it encrypts files:
- ReadMe.bpm
- ReaMe.html
- ReadMe.txt
These files contain instructions to pay ransom in order to decrypt the files.
It sets the following image, which also contains instructions, as desktop wallpaper:
.wlu variant
This variant appends the filename extension .wlu to encrypted files.
It also creates the following files in each folder where it encrypts files:
- README TO SAVE YOUR FILES.BMP
- README TO SAVE YOUR FILES.HTML
- README TO SAVE YOUR FILES.TXT
These files contain instructions to pay ransom in order to decrypt the files.
It sets the following image, which also contains instructions, as desktop wallpaper:
.sVn variant
This variant appends the filename extension .sVn to encrypted files.
It also creates the following files in each folder where it encrypts files:
- !!!SAVE_YOUR_FILES.BMP
- !!!README_FOR_SAVE_FILES.TXT
These files contain instructions to pay ransom in order to decrypt the files.
It sets the following image, which also contains instructions, as desktop wallpaper:
Analysis by Rodel FinonesSolution :
Kaspersky Lab has released a free decryption tool for Jaff ransomware after exploiting vulnerabilities in the malware’s code.
https://support.kaspersky.com/viruses/disinfection/10556Last update 16 June 2017
