One Article Review
| Source |  SANS Institute |
|---|---|
| Identifiant | 367939 |
| Date de publication | 2017-05-24 00:05:29 (vue: 2017-05-24 00:05:29) |
| Titre | Jaff ransomware gets a makeover, (Wed, May 24th) |
| Texte | Introduction Since 2017-05-11, a new ransomware named Jaff has been distributed through malicious spam (malspam) from the Necurs botnet. This malspam uses PDF attachments with embedded Word documents containing malicious macros. border-width:2px" /> Shown above: Flow chart for this infection chain. Prior to Jaff, weve seen waves of malspam using the same PDF attachment/embedded Word doc scheme to push Locky ransomware. Prior to that, this type of malspam was pushing Dridex. With all the recent news about WannaCry ransomware, people might forget Jaff is an ongoing threat. Worse yet, some people might not know about it at all since its debut about 2 weeks ago. Jaff has already gotten a makeover, so an infected host looks noticeably different now. With that in mind, todays diary reviews a wave of malspam pushing Jaff ransomware from Tuesday 2017-05-23. The emails This specific wave of malspam used a fake invoice theme. It started on Tuesday 2017-05-23 as early as 13:22 UTC and lasted until sometime after 20:00 UTC. I collected 20 emails for today border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: Screenshot from one of the emails. As stated earlier, these emails all have PDF attachments, and each one contains an embedded Word document. border-width:2px" /> Shown above: border-width:2px" /> Shown above: The embedded Word document with malicious macros. The traffic Follow the entire infection chain, and youll see minimal network traffic compared to other types of malware. The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary thats been XORed with the ASCII string I6cqcYo7wQ. Post-infection traffic merely returns the string Created border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: border-width:2px" /> Shown above: Alerts on the traffic using Security Onion with Suricata and the EmergingThreats Open ruleset. The infected Windows host The encoded binary from this wave of malspam was stored to the users AppData\Local\Temp directory as lodockap8. Then it was decoded and stored as levinsky8.exe in the same directory. border-width:2px" /> Shown above: The users AppData\Local\Temp directory from an infected host on 2017-05-23. On Tuesday 2017-05-23, Jaff ransomware had a makeover. border-width:2px" /> Shown above: border-width:2px" /> Shown above: Desktop of a Windows host infected with a Jaff ransomware sample from 2017-05-23. Encrypted files had been previously appended with the .jaff file extension. On Tuesday 2017-05 |
| Envoyé | Oui |
| Condensat | /a5/ /af/fgjds2u /fgjds2u 0218178eec35acad7909a413d94d84ae3d465a6ea37e932093ec4c7a9b6a7394 0458 084ee31e69053e66fafe6e1c2a69ffec015f95801ce6020f7765c56d6f3c23ff 0855061389b62ec6a9b95552357ff7571ae5c034b304978a533c6cba06c3f9e8 0a326eb9a416f039be104bb5f199b7f3442515f88bd5c7ad1492b1721c174b8e 109 122 13:22 147 1750 185 1f2598dc7a7b8f84307d8c2fa41f5550c320f8192cd41e50b47570d3836e6fcc 2017 20:00 21da9eeded9581f6f032dea0f21b45aa096b0330ddacbb8a7a3942a2026cc8ca 23: 241 24th 2dbf9e1c412aa1ffd32a91043642eb9cc80772c87dbbce3dd098c57d917277fb 3137 3366 3753 3f95a7eeb1965193a4e92862c10897e04708b37b793b8e45f890d019358214c0 4031 4200 4458f43127bb514b19c45e086d48aba34bf31baf1793e3d0611897c2ff591843 5182 5337 5523 557306dc8005f9f6891939b5ceceb35a82efbe11bd1dede755d513fe6b5ac835 56cd249ff82e9bb96a73262090bc6a299ead64d6c75161520e745c2066f22430 5832 6353 6414 66320f4e85e3d6bd46cf00da43ca421e4d50c2218cb57238abb2fb93bef37311 664 6908 7808 7813 795d8312749c122fa10a93c9f3aa1c0f4ffc081714c0ddb66c141334f8ef0633 7dd248652f2b42f3e1ad828e686c8ba458b6bb5b06cea46606ceccdd6b6e823c 8672 8906d10a48487d8240bddd0c0cb5c076e88104c86bdf871b0143d74b6df3cc98 8a474cdd4c03dd4a6ba6ad8945bf22f74f2f41830203f846d5437f02292bb037 91aa966e837c4144a1294aa912a2162397f3a6df98cf336891d234e267cd919f 9273 933fcc1bf90716abf7c4eaf29b520d2276df895fb4dd5a76be2a55028a4da94e 9434 956e43ece563fd46e6995fae75a0015559f0a63af5059290a40c64b906be5b9b 9897 9beb67a68396375f14099055b712e22673c9a1d307a76125186127e289ab41a2 a98782bd10004bef221e58abcecc0de81747e97910b8bbaabfa0b6b30a93b66b about above: adobe ae244ca170b6ddc285da0598d9e108713b738034119bae09eaa69b0c5d7635f8 after ago alerts alisa all already always alyssa among analysis anyone appdata appended are ascii associated attachment attachment/embedded attachments attempt attribution b2b9c02080ae6fbe1845c779e31b5f6014ec20db74d21bd9dd02c444a0d0dd9b bagby bagby@james barker barker@schionningdevelopment basis bc0b2fbe4225e544c6c9935171a7d6162bc611a82d0c6a5f3d62a3f5df71cf8c been behind best billiginurlaub binary binary: biz border boscawen boscawen@strayfamily boston boston@florin both botnet brad butling butling@mattrichling bypass bytes c126e731c1c43d52b52a44567de45796147aca1b331567ed706bf21b6be936b4 c702deaa2fe03f188a670d46401e7db71628e74b0e5e2718a19e2944282e05cd callback can carolyn cde2ff070e86bc1d72642cb3a48299080395f1df554e948fd6e8522579dfe861 center certain chain chart clyde clyde@corte collected com comments commons compared compromise containing contains continue created creative criminals daf01a1f7e34e0d47ecdfcef5d27b2f7a8b096b4e6bc67fb805d4da59b932411 daily david dc2zpq debut decoded decryption decryptor deluge denis deny desktop diary different directories directory distributed dldd7lh doc docm document documents domain download dridex duncan during dusty e477300e8f8954ee95451425035c7994b984d8bc1f77b4ccf2a982bb980806fe each earlier early easily easy edu elaine elateplaza electron email emails embedded emergingthreats encoded encrypted entire even example examples exe execution extension faber fake falkenberg falkenberg@mikeprice feel fern fern@dwtaxprep file files filtering final fitness fjjslyw flow foley follow following follows forget found fredric free from gaskin gaskin@rsdrukkerij gena generate generated get gets gillespie gillespie@casaxalteva gotten gytkpvm had hammond hammond@eastwellironworks has hash: hashes have here herminia hog hog@sbinfracon host host: however hr991 http https://isc i6cqcyo7wq indicators infected infection info initial instructions intended international internet introduction invoice iocs its jaff jenna jinyuxuan kar6wlu khaosoklake know knows lampet lampet@alif lasted levinsky8 license likely lillie lines local location: locky lodockap8 long looks lupe m4sqla2 macros makeover malicious malspam malware maximusstafastoriesticks may meagan merely micah microsoft might mind minimal minnessotaswordfishh mollie most much name: named names near necurs net network new news noncommercial not noticeably now nqbcxp4 oliverkuo olznkwsow one ongoing onion open org organization organizations other pcaps pcflame |
| Tags | |
| Stories | Wannacry |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.