thez3r0

Jaff - New Ransomware From the Actors Behind the Distribution of Dridex, Locky, and Bart

Jaff ransomware makes entries in the Windows Registry to achieve a form of persistence, and even launch and repress processes inside the Windows Operating System. Some of these entries are designed in a way that will start the virus automatically with every launch of Windows. One registry entry reported to be implemented by this ransomware is the following:

→HKCU\Control Panel\Desktop\Wallpaper “C:\ProgramData\Rondo\WallpapeR.bmp”

The ransom note will be displayed after the encryption process is complete. It will be put in three identical files which are ReadMe.bmp, ReadMe.html and ReadMe.txt. Inside them there will be instructions.

Jaff Ransomware Indicators of Compromise (IOCs) IOC IOC Type Description

thez3r0

@Echo off 
mode 50,9
title WannaCry SinkHoler  
color 02
cls
ECHO.
echo ****************************
echo *     WannaCry SinkHoler  
echo *      Author: .anir0y	
echo * Follow: fb.com/anir0y	

thez3r0

/*
 PoC WhatsApp enumeration of phonenumbers, profile pics, about texts and online statuses
 Floated div edition
 01-05-2017
 (c) 2017 - Loran Kloeze - loran@ralon.nl
 
 This script creates a UI on top of the WhatsApp Web interface. It enumerates certain kinds
 of information from a range of phonenumbers. It doesn't matter if these numbers are part
 of your contact list. At the end a table is displayed containing phonenumbers, profile pics, 
 about texts and online statuses. The online statuses are being updated every

thez3r0

Keybase proof

I hereby claim:

• I am thez3r0 on github.
• I am anir0y (https://keybase.io/anir0y) on keybase.
• I have a public key whose fingerprint is C2DD 925A E4EA 4B4B 64F3 0522 EA60 6F14 2CBC AFD7

To claim this, I am signing this object: