{ "id": "791d057b-44e9-4124-b7a8-1d8c4475d7f3", "created_at": "2026-04-06T00:13:06.596863Z", "updated_at": "2026-04-10T03:23:51.180472Z", "deleted_at": null, "sha1_hash": "f9cdcdb2ef240578de139e2e2304d490ad5bb09c", "title": "Looking Into Jaff Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2513915, "plain_text": "Looking Into Jaff Ransomware\r\nBy Raul Alvarez\r\nPublished: 2019-01-31 · Archived: 2026-04-05 23:34:35 UTC\r\nFortiGuard Labs Threat Analysis Blog\r\nJaff ransomware was originally released in the spring of 2017, but it was largely neglected because that was the\r\nsame time that WannaCry was the lead story for news agencies around the world. Since that time, Jaff ransomware\r\nhas lurked in the shadows while infecting machines worldwide. In this FortiGuard Labs analysis, we will look into\r\nsome of the common ransomware techniques used by this malware, and how it represents the ransomware’s\r\ninfection routine in general.\r\nEntry Point\r\nLike many ransomware variants, Jaff ransomware commonly arrives as a pdf attachment. Once you open the\r\nattachment, it displays a one-line document along with a pop-up message asking whether you want to open an\r\nembedded (See figure 1). \r\nFigure 1\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 1 of 12\n\nIf you choose to open the file, that’s where the fun begins. It then launches an embedded document that contains\r\ninstructions on how to remove Macro protection from your document (See Figure 2). The yellow strip at the top of\r\nthe document includes the button “Enable Content,” which enables any macro within the document to execute.\r\nAnd of course, we all already know that this document contains macros. \r\nFigure 2\r\nMacros Everywhere\r\nIn fact, this document contains lots of macros (See figure 3), only one of which downloads the Jaff binary file. The\r\nfollowing is a list of macros found in this variant:\r\n·      autoopen()\r\n·      Document_Open()\r\n·      setAsMainTarget()\r\n·      Challenge(sender As String, e As Integer)\r\n·      Subfunc(MethodParam2() As Byte, MethodParam As String)\r\n·      Lipochanko(a, b)\r\n·      Synomati(Comps)\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 2 of 12\n\n·      Vgux(strComputer As Integer)\r\n·      enumMembers(objDomain)\r\n·      Assimptota4(FullPath As String, NumHoja As Integer)\r\n·      Assimptota6(FullPath As String, NumHoja As Integer)\r\n·      WidthA(Dbbb As String, bbbJ As String, Optional system_ofADown_Sexote As String)\r\n·      Function system_ofADown_ProjectSpeed()\r\n·      privateProbe()\r\n·      SaveDataCSVToolStripMenuItem_Click(e As Integer)\r\n·      RepackOK(sheetToMove As String, sheetAnchor As String, Assimptota6OrAfter As String)\r\n·      CheckRectsAd()\r\nFigure 3\r\nprivateProbe()\r\nThe privateProbe() macro contains the code that downloads the Jaff binary file (See figure 4). \r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 3 of 12\n\nFigure 4\r\nWe can do a simple substitution to manually generate the download link.\r\nFrom the encoded links, we can replace the letters “RRDD” with “om”, and splitting the links from every\r\noccurrence of the word “Nbiyure3”(See figure 5).\r\nFigure 5\r\nDecryption, Redirection, and Garbage Code\r\nAfter downloading the binary file, Jaff ransomware starts decrypting part of the malware code. It uses a simple\r\ncode redirection routine as an anti-analysis trick to stretch the time it requires to analyze the actual malicious code.\r\nIn between code execution, it uses garbage code that is not relevant to the malware execution.\r\nFigure 6 shows different blocks of code executed in a random fashion. Each pass from this group of codes\r\ndecrypts a DWORD value, and then continues until it decrypts the rest of the malware. It also shows the numbered\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 4 of 12\n\ndirections of code execution for the decryption routine.\r\nFigure 6\r\nOnce we remove the garbage code and irrelevant blocks, we can see that only three blocks are used for the actual\r\ndecryption. Figure 7 shows the same group of blocks highlighting the actual relevant code used for the decryption\r\nroutine. It turns out that the actual decryption routine is just a simple XOR.\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 5 of 12\n\nFigure 7\r\nResolving the APIs\r\nAfter decrypting the malware code, most of the API names the malware uses are still hidden.\r\nHiding API names is a malware feature designed to conceal them from an Antivirus scanner. It helps to avoid\r\nbeing detected based on a combination of known APIs used by malware. There are different ways of hiding the\r\nAPIs—some malware uses encryption, and some uses hashing. The latter is used by Jaff. Following are the steps\r\nnecessary to resolve the APIs.\r\nInitially, it looks for the “kernel32.dll” string by parsing the PEB (Process Environment Block) structure. It\r\ncomputes the hash of every module name found in PEB and compares it to the hash for “kernel32.dll”. Once it\r\nfinds a match, it then grabs the location for kernel32.dll and starts resolving the rest of the needed APIs in a\r\nsimilar fashion.\r\nProcess Hollowing\r\nAfter resolving all the needed APIs, Jaff performs process hollowing. This is a malware feature that instead of\r\ndropping another executable file and executing it, overwrites part of the original malware code in memory with its\r\nnew executable code.\r\nIn order for Jaff to do process hollowing, it clears the memory blocks of the current process using\r\nUnmapViewOfFile API. It then re-allocates the same memory blocks using VirtualAlloc API, and changes its\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 6 of 12\n\nprotection to PAGE_EXECUTE_READWRITE by calling the VirtualProtect API. A series of REPE MOVSB\r\n instructions are used to copy the contents of the malicious code to the newly allocated memory blocks.\r\nWrapper Code\r\nAs we have seen so far; the decryption, code redirection, API resolution, and process hollowing are just part of the\r\nwrapper code designed to hide the actual malicious binaries. After executing all those codes, the malware now is\r\nready to show its true nature.\r\nInterestingly enough, using the wrapping technique allows you to basically upgrade the wrapper code without the\r\nneed to upgrade the malicious executable. In this way, you can quickly deploy a new version of the malware that\r\navoids previously used detection parameters.\r\nLet’s now look at where the different parts and features of the embedded executable code are located.\r\nResource Section\r\nThe resource section of the malware contains the key block. It also contains the encrypted list of extension names,\r\na download URL link, and the ransom note (See Figure 8).  \r\nFigure 8\r\nKey Block\r\nThe key block is a 260-byte key found in one of the resources. It is used to decrypt the contents of different\r\nresources within the section.\r\nFigure 9 shows a snapshot of the code that fetches a resource, the resource that contains the key-block, and the\r\n260 bytes key.\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 7 of 12\n\nFigure 9\r\nExtension Names\r\nOne of the resources contains the decrypted list of extension names. Figure 10 shows the encrypted and decrypted\r\nlist of extension names of the files that the malware will try to search for and encrypt (See also Figure 11).  \r\nFigure 10\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 8 of 12\n\nFigure 11\r\nRansom Notes\r\nJaff’s ransom note is stored in three different formats; html, regular text, and image (bmp). The text and html\r\nversions are found in the resource section, while the bmp version is generated using the same text. Figure 12\r\nshows the html version of the ransom note in encrypted and decrypted form, and the location in the resource\r\nsection where it can be found.\r\nFigure 12\r\nTo generate the ransom note in image form, Jaff uses the following combinations of APIs.\r\nCreateStreamOnHGlobal\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 9 of 12\n\nCreateDCW(DISPLAY)\r\nGetDeviceCaps\r\nSetRect\r\nCreateSolidBrush\r\nFillRect\r\nOleDraw\r\nFigure 13\r\nFigure 13 shows a sample of the ransom note in image form. The decrypt ID is dynamically generated and added\r\nto the image. In this particular variant of Jaff ransomware, this image is set as the desktop’s wallpaper after the\r\ninfection.\r\nFile Encryption Routine\r\nAfter all the complex code wrapping and initialization, the main malicious payload that encrypts files is the\r\nsimplest routine.\r\nTo encrypt the file, Jaff searches for files in a given directory, followed by checking if the extension name of the\r\nfile is found in the list (see Figure 11). Next, it renames the file with a .jaff extension and opens it for encryption.\r\nIt then encrypts the file using a call to the CryptEncrypt API (see Figure 14).\r\nAfter all possible files are encrypted, the malware drops the ReadMe.bmp, ReadMe.html, and ReadMe.txt\r\nversions of the ransom note in the given directory.\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 10 of 12\n\nFigure 14\r\nWrap Up\r\nOne of the factors that affects the populariy of a ransomware is the timing of when it is released. Jaff was released\r\nat almost the same time as WannaCry, thus killing its dream of stardom in an instant. Or maybe, it was released\r\nintentionally at that moment to add stealth to its infection.\r\nEither way, we should always be ready for any malware or ransomware by keeping our defenses regularly\r\nupdated.\r\nSha256: 387812ee2820cbf49812b1b229b7d8721ee37296f7b6018332a56e30a99e1092\r\nDetection: W32/Jaff.ED11!tr.ransom\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 11 of 12\n\nKnow your vulnerabilities – get the facts about your network security. A Fortinet Cyber Threat Assessment can\r\nhelp you better understand: Security and Threat Prevention, User Productivity, and Network Utilization and\r\nPerformance.\r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nhttps://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/looking-into-jaff-ransomware.html" ], "report_names": [ "looking-into-jaff-ransomware.html" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434386, "ts_updated_at": 1775791431, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f9cdcdb2ef240578de139e2e2304d490ad5bb09c.pdf", "text": "https://archive.orkl.eu/f9cdcdb2ef240578de139e2e2304d490ad5bb09c.txt", "img": "https://archive.orkl.eu/f9cdcdb2ef240578de139e2e2304d490ad5bb09c.jpg" } }