Security home

 

Home / malwarePDF  

Ransom:Win32/Jaffrans


First posted on 16 June 2017.
Source: Microsoft

Aliases :

Ransom:Win32/Jaffrans is also known as rojan-Ransom.Win32.Rakhni, Trojan-Ransom.Win32.Agent.iih, Trojan-Ransom.Win32.Autoit, Trojan-Ransom.Win32.Aura, Trojan-Ransom.AndroidOS.Pletor, Trojan-Ransom.Win32.Rotor, Trojan-Ransom.Win32.Lamer, Trojan-Ransom.Win32.Cryptokluchen, Trojan-Ransom.Win32.Democry, Trojan-Ransom.Win32.Bitman, Trojan-Ransom.Win32.Jaff.

Explanation :

Arrival

This ransomware is downloaded onto target computers by malicious documents in spammed email messages. The documents have malicious macro codes that download this ransomware from multiple server locations. These documents are embedded in .pdf files attached to email messages sent from the Necurs spam bot.

The email messages use subject lines like 'Invoice' and 'Order'. The following is a sample email that carries the malicious .pdf attachment:



When the .pdf attachment is opened, it triggers a prompt to open the embedded document with malicious macro codes:



If the document is opened, Microsoft Word issues the usual security prompts that contain macros that are potentially harmful.



If allowed to run, the macro codes download this ransomware. The malicious document is detected as TrojanDownloader:O97M/Donoff.

Installation

This ransomware persists in the memory throughout the duration of the file encryption routine, but removes itself afterwards.

Interestingly, this ransomware does not infect computers that have the language identifier "LANG_RUSSIAN". It terminates its process and deletes itself by running "cmd.exe /C del /Q /F ".

Payload

Encrypts files

This ransomware encrypts files in fixed, removable, remote, and ramdisk drives using AES-256 and RSA key exchange with Windows Crypto APIs.

It searches for and encrypts the following file types, including files accessible in the local network:

.001

.002

.003

.004

.005

.006

.007

.008

.009

.010

.1cd

.3dm

.3ds

.3fr

.3g2

.3pr

.7z

.7ZIP

.aac

.ab4

.accdb

.accde

.accdt

.acd

.ach

.acr

.act

.adb

.adp

.ads

.agdl

.ai

.aif

.aiff

.ait

.al

.aoi

.apj

.arw

.as4

.asf

.asm

.asp.

.aspx

.asx

.avi

.awg

.back

.backup

.backupdb

.bak

.bank

.bay

.bdb

.bgt

.bik

.bin

.bkp

.blend

.bmp

.bpw

.c

.cad

.cbr

.cdf

.cdr

.cdr3

.cdr4

.cdr5

.cdr6

.cdrw

.cdx

.ce1

.ce2

.cer

.cfg

.cgm

.cib

.class

.cls

.cmt

.config

.contact

.cpi

.cpp

.cr2

.craw

.crt

.crw

.cs

.csh

.csl

.css

.csv

.dac

.dat

.db

.db_journal

.db3

.dbf

.dbx

.dc2

.dcr

.dcs

.ddd

.ddoc

.ddrw

.dds

.deb

.der

.design

.dgc

.dit

.djvu

.dng

.doc

.docm

.docx

.dot

.dotm

.dotx

.drf

.drw

.dsr

.dtd

.dwg

.dxb

.dxf

.dxg

.edb

.eml

.eps

.erbsql

.erd

.exf

.fdb

.ffd

.fff

.fh

.fhd

.fif

.fla

.flac

.flv

.flvv

.fpx

.fxg

.gif

.gray

.grey

.groups

.gry

.gz

.h

.hbk

.hdd

.hpp

.htm

.html

.ibank

.ibd

.ibz

.ico

.ics

.idf

.idx

.iff

.iif

.iiq

.incpas

.indd

.java

.jnt

.jpe

.jpeg

.jpg

.js

.kc2

.kdbx

.kdc

.key

.kpdx

.kwm

.laccdb

.lit

.log

.lua

.m

.m2ts

.m3u

.m4a

.m4p

.m4v

.mapimail

.max

.mbx

.md

.mdb

.mdc

.mdf

.mdi

.mef

.mfw

.mid

.mix

.mkv

.mlb

.mmw

.mny

.moneywell

.mos

.mov

.mp3

.mp4

.mpd

.MPEG

.mpg

.mrw.des

.msg

.nd

.ndd

.ndf

.nef

.nk

.nop

.nrw

.ns2

.ns3

.ns4

.nsd

.nsf

.nsg

.nsh

.nvram

.nwb

.nx2

.nxl

.nyf

.oab

.obd

.obj

.obt

.odb

.odc

.odf

.odg

.odm

.odp

.ods

.odt

.ogg

.oil

.ord

.ost

.otg

.oth

.otp

.ots

.ott

.ova

.p12

.p7b

.p7c

.pab

.pages

.par

.pas

.pat

.pcd

.pct

.pdb

.pdd

.pdf

.pef

.pem

.pfx

.php

.pif

.pl

.plc

.plus_muhd

.png

.pot

.potm

.potx

.ppam

.pps

.ppsm

.ppsx

.ppt

.pptm

.pptx

.prf

.prn

.ps

.psafe3

.psd

.pspimage

.pst

.ptx

.pub

.pwm

.py

.qba

.qbb

.qbm

.qbr.myd

.qbw

.qbx

.qby

.qcow

.qcow2

.qed

.r3d

.raf

.rar

.rat

.raw

.rdb

.rm

.rpm

.rtf

.rvt

.rw2

.rwl

.rwz

.s3db

.safe

.sas7bdat

.sav

.save

.say

.sd0

.sda

.sdf

.sitx

.sldm

.sldx

.sql

.sqlite

.sqlite3

.sqlitedb

.sr

.srf

.srt

.srw

.st4

.st5

.st6

.st7

.st8

.stc

.std

.sti

.stl

.stm

.stw

.stx

.svg

.swf

.swm

.sxc

.sxd

.sxg

.sxi

.sxm

.sxw

.tar

.tar.gz

.tex

.tga

.thm

.tib

.tlg

.txt

.vbox

.vcf

.vdi

.veg

.vhd

.vhdx

.vib

.vmdk

.vmsd

.vmx

.vmxf

.vob

.vsc

.vsd

.wab

.wad

.wallet

.wav

.waw

.wb2

.wbk

.wda

.wma

.wmv

.wpd

.wps

.x11

.x3f

.xis

.xla

.xlam

.xlk

.xlm

.xls

.xlsb

.xlsm

.xlsx

.xlt

.xltm

.xltx

.xlw

.xml

.xmod

.ycbcra

.zip

.zipx

.zpf





This ransomware has several variants, each of which uses a unique file name extension and ransom note.

After encryption, this ransomware sets a new desktop wallpaper by dropping the following file:

  • \Rondo\WallpapeR.bmp (for example, c:\Documents and Settings\All Users\Application Data\Rondo\WallpapeR.bmp)


The wallpaper also slightly varies by variant, but one of the URLs they use points to the payment server, where a specified victim ID is entered to download a decryptor tool:

.jaff variant

This variant appends the filename extension .jaff to encrypted files.

It also creates the following files in each folder where it encrypts files:
  • ReadMe.bpm
  • ReaMe.html
  • ReadMe.txt


These files contain instructions to pay ransom in order to decrypt the files.

It sets the following image, which also contains instructions, as desktop wallpaper:

.wlu variant

This variant appends the filename extension .wlu to encrypted files.

It also creates the following files in each folder where it encrypts files:
  • README TO SAVE YOUR FILES.BMP
  • README TO SAVE YOUR FILES.HTML
  • README TO SAVE YOUR FILES.TXT


These files contain instructions to pay ransom in order to decrypt the files.

It sets the following image, which also contains instructions, as desktop wallpaper:

.sVn variant

This variant appends the filename extension .sVn to encrypted files.

It also creates the following files in each folder where it encrypts files:
  • !!!SAVE_YOUR_FILES.BMP
  • !!!README_FOR_SAVE_FILES.TXT


These files contain instructions to pay ransom in order to decrypt the files.

It sets the following image, which also contains instructions, as desktop wallpaper:





Analysis by Rodel Finones

Solution :

Kaspersky Lab has released a free decryption tool for Jaff ransomware after exploiting vulnerabilities in the malware’s code.

https://support.kaspersky.com/viruses/disinfection/10556

Last update 16 June 2017

 

TOP

Malware :