Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this time is a variant that downloads the infamous Kovter together with the official 7zip CLI application.
As usual this threat is spread mostly by email, this is a screenshot of the email received from one of our customers:
There’s no harm in reading the email, unless the attachment is unpacked and opened.
Attachment
A Javascript file can be extracted from the zip archive.
The detection rate from the various AV families is shown below and is not as high as expected (just 23% of the AVs detect it as malicious), a possible sign that the obfuscation techniques adopted are not worthless after all and can still fool several engines:
The javascript (MD5: 50EB3B5F187072AD585D9009A05B2F7E) is of course obfuscated:
After proceeding with the deobfuscation we can get an idea of how the script works.
Nemucod deobfuscated javascript
The analysis of the javascript is straightforward and can be split in two parts.
In the first 40 lines shown above there are only the variables definitions and a for loop responsible for the download of 3 executables that are stored into the %TEMP% folder.
The ky variable, that is the key, is randomly generated with a fixed length of 36 alphanumerical characters. The key generated is then passed as a parameter to the URL used to download the executables. The generated key is thus sent to the controlling server and the download stage performed at the same time. The key generated is sent over plain HTTP, so if your corporate firewall logs GET requests, it’s trivial to recover the key. Below the 3 GET requests intercepted:
The mime-type is set to PNG image, but the script saves them as executables (.exe).
This is a list of all the domains reached:
Domain | IP | Country code | Date |
ujjwaljeweller[.]com | 143.95.252.34 | US | 2016-01-08 |
topikriau[.]com | 202.150.213.153 | SG | 2016-02-01 |
yc4tuna[.]com | 185.26.122.250 | RU | 2013-11-19 |
yingyigood[.]com | 121.42.94.198 | CN | 2015-04-20 |
xn--oi2bq3ygphw3bbzh[.]com | 112.175.184.91 | KR | 2015-05-21 |
If the first domain is down the script tries with the second one and so on.
The second part of the javascript code can be seen below:
The first 30 lines are used to write a txt file (DECRYPT.txt) containing the ransom information:
Then 3 registry keys are added to assign the .crypted extension to notepad and a copy of the DECRYPT.txt is created on the desktop. Then the ransomware routine begins, overall 79 file extensions are targeted:
.3ds .7z .accdb .als .asm .aup .avi .bas .blend .cad .cdr .cpp .cpr .cpt .cs .csv .doc .docx .dsk .dwg .eps .gpg .gz .indd .jpg .kdb .kdbx .lwo .lws .m4v .max .mb .mdb .mdf .mp4 .mpe .mpeg .mpg .mpp .npr .odb .odm .odt .pas .pdf .pgp .php .ppt .pptx .psd .pub .rar .raw .rtf .scad .skp .sldasm .slddrw .sldprt .ssh .sxi .tar .tif .tiff .tsv .u3d .vb .vbproj .vcproj .vdi .veg .vhd .vmdk .wdb .wmf .wmv .xls .xlsx .zip
The code that performs the encryption is:
call " + fn + "0.exe a -sdel -mx0 -mhe -p" + ky + " " + cq + "%i.crypted" + cq + " " + cq + "%i" + cq + "
which after variables expansion it is:
call C:\Users\PC\AppData\Local\Temp\a0.exe a -sdel -mx0 -mhe -p[ky] "%i.crypted" "%i"
where:
- %i is the targeted file;
- %i.crypted is the encrypted file (the archive name);
- a is the “add” verb;
- -sdel is used to delete the %i file after the process;
- -mx0 is used to store the file without perform compression process;
- -mhe is used to encrypt the file header.
From these commands we recognize the 7zip command line options.
The MD5 hash of the a0.exe file matches the one found on the official 7zip official website (7za.exe). Curiously this instance of 7-Zip is identified as a CryptoLocker and as generic Trojan from two different AntiVirus.
Before payment, if we visit the URL found inside the txt the following message is shown:
IOCs
Registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypted “C:\User\PC\AppData\Local\Temp\a.txt”
HKCR\.crypted “Crypted”
HKCR\Crypted\shell\open\command “notepad.exe C:\User\PC\AppData\Local\Temp\a.txt”
File system
%AppData%\Desktop\DECRYPT.txt
%UserProfile%\Desktop\DECRYPT.txt
Droppers
Nemucod is often used as a spreading vector for other malware families and this one is used to infect the machine with Kovter analyzed previously by our team and as usual with an incredibly low detection rate.
Hashes
2ED816D780891E15F01C1B92C23D91C8 2/57
87B1060CB26EC1323BB5B5BF15F98633 3/57
43FD4AB3DEB986681AEE082AE9A8465F 2/57
91A5AFC09610FB8D195579A46CB56CE3 7/57
C7BD77A6FAB65BD86161B9AB1A005126 3/56
647C3FE0B309FD94DE5D5260205E78DD 1/56
C&Cs
IP | Country code |
178.33.69.66/upload.php | FR |
187.138.71.226 | MX |
189.132.53.167 | MX |
Protection
The usual common sense applies: don’t click on unknown executables, nothing good will ever come out, also keep your AV up to date. Corporate users might benefit from our ReaQta-Core solution that protects sensitive data from tampering and exfiltration, keeping your infrastructure safe from malware infections and ransomware.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!
ReaQta