Jaff ransomware is a file encrypting malware that arrives via download by special crafted macro documents from spam emails. It encrypts users data with a “.jaff” file extension and then requests the victim pay a ransom.
The following files are usually seen on the system:
- Encrypted files with extension “.jaff”
The desktop wallpaper is changed on the victim’s system to give instructions for decrypting the files.
This malware is download using a specially crafted document with malicious macros.
1.) Upon execution, it tries to communicate with its C2:
The C2 responds with the word “Created”. No other information is transmitted between the C2 and the victim’s machine.
(Note: even if the C2 is inactive, it will still perform its file encryption routine)
2.) File Encryption
It encrypts files with AES and targets the filenames with the following extensions:
Once the file is encrypted, it adds the “.jaff” extension to the filename.
3.) It drops the following files in every directory where a file was encrypted. These are Ransom Notes.
4.) Once all files are encrypted on the system, it will replace the desktop wallpaper like the snapshot below:
It does this by modifying the following registry entry:
[Wallpaper] = [%Path of Ransomware Wallpaper%]
5.) The malware deletes itself after performing its deed.