Names | Jaff Rakhni | |
Category | Malware | |
Type | Ransomware | |
Description | (Fortinet) Like many ransomware variants, Jaff ransomware commonly arrives as a pdf attachment. Once you open the attachment, it displays a one-line document along with a pop-up message asking whether you want to open an embedded. After downloading the binary file, Jaff ransomware starts decrypting part of the malware code. It uses a simple code redirection routine as an anti-analysis trick to stretch the time it requires to analyze the actual malicious code. In between code execution, it uses garbage code that is not relevant to the malware execution. | |
Information | <https://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html> <http://malware-traffic-analysis.net/2017/05/16/index.html> <https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart> <http://blog.talosintelligence.com/2017/05/jaff-ransomware.html> | |
Malpedia | <https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff> | |
AlienVault OTX | <https://otx.alienvault.com/browse/pulses?q=tag:jaff> | |
Playbook | <https://www.nomoreransom.org/uploads/RakhniDecryptor_how-to_guide.pdf> |
Last change to this tool card: 25 April 2021
Download this tool card in JSON format
Changed | Name | Country | Observed | ||
APT groups | |||||
TA505, Graceful Spider, Gold Evergreen | 2006-Nov 2022 |
1 group listed (1 APT, 0 other, 0 unknown)
Digital Service Security Center Follow us on |
Report incidents |
|
+66 (0)2-123-1227 | ||
[email protected] |