{
	"id": "b9756835-7789-4f67-b9ed-ddc05a9d9451",
	"created_at": "2026-04-06T00:11:24.939399Z",
	"updated_at": "2026-04-10T13:12:45.34305Z",
	"deleted_at": null,
	"sha1_hash": "a257dba0497022c840aeef7b39c29ee26ee77b82",
	"title": "Malware-Traffic-Analysis.net - 2017-05-16 - More examples of Jaff ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1942028,
	"plain_text": "Malware-Traffic-Analysis.net - 2017-05-16 - More examples of Jaff\r\nransomware\r\nArchived: 2026-04-05 14:19:56 UTC\r\nNOTICE:\r\nThe zip archives on this page have been updated, and they now use the new password scheme.  For the new\r\npassword, see the \"about\" page of this website.\r\nASSOCIATED FILES:\r\n2017-05-16-Jaff-ransomware-traffic.pcap.zip   92.3 kB (92,253 bytes)\r\n2017-05-16-Jaff-ransomware-malspam-traffic.pcap   (97,799 bytes)\r\n2017-05-16-Jaff-ransomware-malspam-tracker.csv.zip   1.1 kB (1090 bytes)\r\n2017-05-16-Jaff-ransomware-malspam-tracker.csv   (3,024 bytes)\r\n2017-05-16-Jaff-ransomware-emails-and-malware.zip   1.2 MB (1,195,959 bytes)\r\n2017-05-16-133459-UTC-Invoice.pdf   (52,399 bytes)\r\n2017-05-16-141909-UTC-Invoice.pdf   (52,239 bytes)\r\n2017-05-16-142344-UTC-Invoice.pdf   (52,322 bytes)\r\n2017-05-16-142529-UTC-Invoice.pdf   (52,322 bytes)\r\n2017-05-16-142819-UTC-Invoice.pdf   (52,322 bytes)\r\n2017-05-16-143514-UTC-Invoice.pdf   (52,322 bytes)\r\n2017-05-16-144044-UTC-Invoice.pdf   (52,322 bytes)\r\n2017-05-16-145739-UTC-Invoice.pdf   (52,464 bytes)\r\n2017-05-16-150804-UTC-Invoice.pdf   (52,439 bytes)\r\n2017-05-16-155014-UTC-Invoice.pdf   (52,214 bytes)\r\n2017-05-16-173344-UTC-Invoice.pdf   (52,185 bytes)\r\n2017-05-16-182134-UTC-Invoice.pdf   (51,875 bytes)\r\n2017-05-16-Jaff-Decryptor-index.css   (2,661 bytes)\r\n2017-05-16-Jaff-Decryptor.html   (5,090 bytes)\r\n2017-05-16-Jaff-ransomware-ReadMe.bmp   (3,145,782 bytes)\r\n2017-05-16-Jaff-ransomware-ReadMe.html   (1,431 bytes)\r\n2017-05-16-Jaff-ransomware-ReadMe.txt   (482 bytes)\r\n2017-05-16-Jaff-ransomware-galaperidol8.exe   (147456 bytes)\r\n2017-05-16-jaff-malspam-133459-UTC.eml   (71,787 bytes)\r\nGUMHSZUM.docm   (55,176 bytes)\r\nHBTEJ.docm   (55,154 bytes)\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 1 of 7\n\nHSOTN2JI.docm   (55,170 bytes)\r\nLNJ9DNIJ.docm   (55,187 bytes)\r\nU4HKZVPRL.docm   (55,175 bytes)\r\nUCER2Q.docm   (55,134 bytes)\r\nUTTNNVW6V.docm   (55,166 bytes)\r\nVEZLGKVC.docm   (55,155 bytes)\r\nEMAIL\r\nShown above:  An example of the emails.\r\n12 EMAIL EXAMPLES:\r\nREAD: DATE/TIME -- SUBJECT -- ATTACHMENT NAME -- SENDING ADDRESS (SPOOFED)\r\n2017-05-16 13:34:59 UTC -- Your Invoice # 921212 -- Invoice.pdf -- \"Courtney\"\r\n\u003cCourtney.messeena@styledoors[.]info\u003e\r\n2017-05-16 14:19:09 UTC -- Your Invoice # 878923 -- Invoice.pdf -- \"Jeremiah\"\r\n\u003cJeremiah.cogguns@ledomassage[.]nl\u003e\r\n2017-05-16 14:23:44 UTC -- Your Invoice # 654270 -- Invoice.pdf -- \"Shelly\"\r\n\u003cShelly.hullson@ariakarasanat[.]com\u003e\r\n2017-05-16 14:25:29 UTC -- Your Invoice # 87871 -- Invoice.pdf -- \"Jodie\" \u003cJodie.work@pisoria[.]com\u003e\r\n2017-05-16 14:28:19 UTC -- Your Invoice # 850914 -- Invoice.pdf -- \"Blake\"\r\n\u003cBlake.sykes@vivacerveja[.]com[.]br\u003e\r\n2017-05-16 14:35:14 UTC -- Your Invoice # 62287 -- Invoice.pdf -- \"Adrienne\"\r\n\u003cAdrienne.haddock@k2news[.]net\u003e\r\n2017-05-16 14:40:44 UTC -- Your Invoice # 24559 -- Invoice.pdf -- \"Virgie\"\r\n\u003cVirgie.burke@spi[.]com[.]ar\u003e\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 2 of 7\n\n2017-05-16 14:57:39 UTC -- Your Invoice # 852594 -- Invoice.pdf -- \"Krystal\" \u003cKrystal.doole@papa-ganda[.]net\u003e\r\n2017-05-16 15:08:04 UTC -- Your Invoice # 99499 -- Invoice.pdf -- \"Laurie\"\r\n\u003cLaurie.devell@coveredwagon[.]ca\u003e\r\n2017-05-16 15:50:14 UTC -- Your Invoice # 08175 -- Invoice.pdf -- \"Kristy\"\r\n\u003cKristy.oglethorp@maloufimo[.]com\u003e\r\n2017-05-16 17:33:44 UTC -- Your Invoice # 927414 -- Invoice.pdf -- \"Marlene\"\r\n\u003cMarlene.balmer@seniorsmarketplacenews[.]com\u003e\r\n2017-05-16 18:21:34 UTC -- Your Invoice # 376427 -- Invoice.pdf -- \"Earlene\"\r\n\u003cEarlene.wyatville@gradinitamagica[.]ro\u003e\r\nMALWARE\r\nShown above:  As usual, the PDF attachment contains an embedded Word document with malicious macros.\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 3 of 7\n\nSHA256 HASHES FOR THE ATTACHMENTS:\r\n279bd153041b64966147eb7d036f570199e2d068c92746eb3e571d49fd7e3805 - Invoice.pdf\r\n5b10d2ae464ec1b3c5d62d70d452d205419c0892fa2d21892767f8f30a6b8e98 - Invoice.pdf\r\n5da7c8bf86dc71531b2cd34e565385dae7b080cde104e5abe29577ed03787a71 - Invoice.pdf\r\n66c406bbe06a7804508e39eb3822b0a4f27b14a9d4c5dff970d559bcd88d6abc - Invoice.pdf\r\n728174eddaf20492bfc3d85df3148aad3ff2677c88c901d727272c0f1aa4a0dd - Invoice.pdf\r\n85640107aec9c21f6fdcf62ef79046aa57c18da35d29795febb7ac634165f93c - Invoice.pdf\r\nbd5cc7c63481cb6f54b8ddd3b459976021839119f2f57a2f60e52159ac0c184d - Invoice.pdf\r\nebcdc058e4d7d7e2d9bcf59042c50814c335e3aa18b59f76a9eccc9918c78bb7 - Invoice.pdf\r\nSHA256 HASHES FOR THE EMBEDDED WORD DOCUMENTS:\r\n1bc1196f611d2c6e5bd904160354fe1374c39b907411a5a15592bbc80bd4c4c4 - VEZLGKVC.docm\r\n349365e97bba0377c960894ddcdb9939e386b55e764b7d3f8257aa538866167d - LNJ9DNIJ.docm\r\n4da60d4278f4996163f5ffa28196919369d4ca365245ce8c60dc46bd9d816667 - HSOTN2JI.docm\r\n4ff07b88668dfc828f18859b84805aae9c06b485594d029e42c1b0c9255988e6 - U4HKZVPRL.docm\r\n9c9e0e6900b82b14816ccd7dd3f3269c44bb752a63c63afe652feaf090c551c2 - UCER2Q.docm\r\na7810d1b9d50e78157ee43d2c6f34dddd70f11bc0c76311a0e223fbd9ee20165 - HBTEJ.docm\r\nb8ddb998befb348bbc242ed66757b8024f4fceec1f5b5b145f8aac5874d9e81f - GUMHSZUM.docm\r\nd30b4f0c787794a838b3cf34bdaee77bc95f42fe84bef67c5283033ee4265111 - UTTNNVW6V.docm\r\nJAFF RANSOMWARE SAMPLE:\r\nSHA256 hash:  387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092\r\nFile size:  147,456 bytes\r\nFile location:  C:\\Users\\[username]\\AppData\\Local\\Temp\\galaperidol8.exe\r\nTRAFFIC\r\nURLS FROM THE WORD MACROS TO DOWNLOAD JAFF RANSOMWARE:\r\n34.209.214[.]237 port 80 - herrossoidffr6644qa[.]top - GET /af/Nbiyure3\r\n194.58.119[.]16 port 80 - jsplast[.]ru - GET /Nbiyure3\r\n80.150.6[.]143 port 80 - juvadent[.]de - GET /Nbiyure3\r\n120.76.230[.]45 port 80 - opearl[.]net - GET /Nbiyure3\r\n103.63.135[.]197 port 80 - playmindltd[.]com - GET /Nbiyure3\r\n34.209.214[.]237 port 80 - sjffonrvcik45bd[.]info - GET /af/Nbiyure3\r\n107.180.26[.]179 port 80 - tidytrend[.]com - GET /Nbiyure3\r\n101.0.99[.]38 port 80 - titanmachinery[.]com[.]au - GET /Nbiyure3\r\n92.245.188[.]95 port 80 - tomcarservice[.]it - GET /Nbiyure3\r\n176.223.209[.]5 port 80 - ventrust[.]ro - GET /Nbiyure3\r\n188.65.115[.]35 port 80 - vipan-photography[.]com - GET /Nbiyure3\r\n107.180.48[.]250 port 80 - wizbam[.]com - GET /Nbiyure3\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 4 of 7\n\nJAFF RANSOMWARE POST-INFECTION TRAFFIC:\r\n47.91.107[.]213 port 80 eesiiuroffde445[.]com - GET /a5/\r\nrktazuzi7hbln7sy[.]onion - Tor domain for Jaff Decryptor (same as the last few times)\r\nTraffic from the infection filtered in Wireshark.\r\nHTTP request for the Jaff ransomware.\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 5 of 7\n\nPost-infection traffic from the infected Windows host.\r\nIMAGES\r\nShown above:  Desktop of an infected Windows host.\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 6 of 7\n\nShown above:  Going to the Jaff Decryptor.\r\nFINAL NOTES\r\nClick here to return to the main page.\r\nSource: http://malware-traffic-analysis.net/2017/05/16/index.html\r\nhttp://malware-traffic-analysis.net/2017/05/16/index.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://malware-traffic-analysis.net/2017/05/16/index.html"
	],
	"report_names": [
		"index.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434284,
	"ts_updated_at": 1775826765,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a257dba0497022c840aeef7b39c29ee26ee77b82.pdf",
		"text": "https://archive.orkl.eu/a257dba0497022c840aeef7b39c29ee26ee77b82.txt",
		"img": "https://archive.orkl.eu/a257dba0497022c840aeef7b39c29ee26ee77b82.jpg"
	}
}