Jaff Ransomware

Posted on June 21, 2017

Name on Threat: Jaff Ransomware

Threat Vector: Email

IOC Hash: SHA1: 6ED179D6131F2407D19B37E31D4AA9C9709D4D99


Jaff ransomware is a file encrypting malware that arrives via download by special crafted macro documents from spam emails. It encrypts users data with a “.jaff” file extension and then requests the victim pay a ransom.


The following files are usually seen on the system:

  • ReadMe.bmp
  • ReadMe.html
  • ReadMe.txt
  • Encrypted files with extension “.jaff”

The desktop wallpaper is changed on the victim’s system to give instructions for decrypting the files.

Technical Overview

This malware is download using a specially crafted document with malicious macros.

1.) Upon execution, it tries to communicate with its C2:


The C2 responds with the word “Created”. No other information is transmitted between the C2 and the victim’s machine.

(Note: even if the C2 is inactive, it will still perform its file encryption routine)

2.) File Encryption

It encrypts files with AES and targets the filenames with the following extensions:


Once the file is encrypted, it adds the “.jaff” extension to the filename.

3.) It drops the following files in every directory where a file was encrypted. These are Ransom Notes.


4.) Once all files are encrypted on the system, it will replace the desktop wallpaper like the snapshot below:

It does this by modifying the following registry entry:

HKEY_CURRENT_USERControl PanelDesktop
[Wallpaper] = [%Path of Ransomware Wallpaper%]

5.) The malware deletes itself after performing its deed.