Nemucod is a Javascript downloader used to perform all kind of nasty stuff, recently a “ransomware” routine has been found in some samples, even if a simple one: a XOR with a predefined 255 bytes key. In other instances we have observed the download of a malicious executable responsible for the encryption process. What we will analyze this time is a variant that downloads the infamous Kovter together with the official 7zip CLI application.

Email

As usual this threat is spread mostly by email, this is a screenshot of the email received from one of our customers:

Nemucod infected email
Nemucod infected email

There’s no harm in reading the email, unless the attachment is unpacked and opened.

Attachment

A Javascript file can be extracted from the zip archive.
new_nemucod_uses_7zip_attachment
The detection rate from the various AV families is shown below and is not as high as expected (just 23% of the AVs detect it as malicious), a possible sign that the obfuscation techniques adopted are not worthless after all and can still fool several engines:
new_nemucod_uses_7zip_vt
The javascript (MD550EB3B5F187072AD585D9009A05B2F7E) is of course obfuscated:
new_nemucod_uses_7zip_obfuscated_excerpt
After proceeding with the deobfuscation we can get an idea of how the script works.

Nemucod deobfuscated javascript

The analysis of the javascript is straightforward and can be split in two parts.
new_nemucod_uses_7zip_deobfuscated1
In the first 40 lines shown above there are only the variables definitions and a for loop responsible for the download of 3 executables that are stored into the %TEMP% folder.
The ky variable, that is the key, is randomly generated with a fixed length of 36 alphanumerical characters. The key generated is then passed as a parameter to the URL used to download the executables. The generated key is thus sent to the controlling server and the download stage performed at the same time. The key generated is sent over plain HTTP, so if your corporate firewall logs GET requests, it’s trivial to recover the key. Below the 3 GET requests intercepted:
new_nemucod_uses_7zip_get_requests
The mime-type is set to PNG image, but the script saves them as executables (.exe).
This is a list of all the domains reached:

Domain IP Country code Date
ujjwaljeweller[.]com   143.95.252.34 US 2016-01-08
topikriau[.]com 202.150.213.153 SG 2016-02-01
yc4tuna[.]com 185.26.122.250 RU 2013-11-19
yingyigood[.]com 121.42.94.198 CN 2015-04-20
xn--oi2bq3ygphw3bbzh[.]com 112.175.184.91 KR 2015-05-21

If the first domain is down the script tries with the second one and so on.
The second part of the javascript code can be seen below:
new_nemucod_uses_7zip_deobfuscated2
The first 30 lines are used to write a txt file (DECRYPT.txt) containing the ransom information:
new_nemucod_uses_7zip_refund_informations
Then 3 registry keys are added to assign the .crypted extension to notepad and a copy of the DECRYPT.txt is created on the desktop. Then the ransomware routine begins, overall 79 file extensions are targeted:

.3ds .7z .accdb .als .asm .aup .avi .bas .blend .cad .cdr .cpp .cpr .cpt .cs .csv .doc .docx .dsk .dwg .eps .gpg .gz .indd .jpg .kdb .kdbx .lwo .lws .m4v .max .mb .mdb .mdf .mp4 .mpe .mpeg .mpg .mpp .npr .odb .odm .odt .pas .pdf .pgp .php .ppt .pptx .psd .pub .rar .raw .rtf .scad .skp .sldasm .slddrw .sldprt .ssh .sxi .tar .tif .tiff .tsv .u3d .vb .vbproj .vcproj .vdi .veg .vhd .vmdk .wdb .wmf .wmv .xls .xlsx .zip

The code that performs the encryption is:

call " + fn + "0.exe a -sdel -mx0 -mhe -p" + ky + " " + cq + "%i.crypted" + cq + " " + cq + "%i" + cq + "

which after variables expansion it is:

call C:\Users\PC\AppData\Local\Temp\a0.exe a -sdel -mx0 -mhe -p[ky] "%i.crypted" "%i"

where:

  • %i is the targeted file;
  • %i.crypted is the encrypted file (the archive name);
  • a is the “add” verb;
  • -sdel is used to delete the %i file after the process;
  • -mx0 is used to store the file without perform compression process;
  • -mhe is used to encrypt the file header.

From these commands we recognize the 7zip command line options.
new_nemucod_uses_7zip_7zip
The MD5 hash of the a0.exe file matches the one found on the official 7zip official website (7za.exe). Curiously this instance of 7-Zip is identified as a CryptoLocker and as generic Trojan from two different AntiVirus.

7-Zip detection on VT
7-Zip detection on VT

Before payment, if we visit the URL found inside the txt the following message is shown:
Site

IOCs

Registry keys

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypted    “C:\User\PC\AppData\Local\Temp\a.txt”
HKCR\.crypted    “Crypted”
HKCR\Crypted\shell\open\command        “notepad.exe C:\User\PC\AppData\Local\Temp\a.txt”

File system

%AppData%\Desktop\DECRYPT.txt
%UserProfile%\Desktop\DECRYPT.txt

 

Droppers

Nemucod is often used as a spreading vector for other malware families and this one is used to infect the machine with Kovter analyzed previously by our team and as usual with an incredibly low detection rate.

Hashes

2ED816D780891E15F01C1B92C23D91C8    2/57
87B1060CB26EC1323BB5B5BF15F98633    3/57
43FD4AB3DEB986681AEE082AE9A8465F    2/57
91A5AFC09610FB8D195579A46CB56CE3    7/57
C7BD77A6FAB65BD86161B9AB1A005126    3/56
647C3FE0B309FD94DE5D5260205E78DD    1/56

C&Cs

IP Country code
178.33.69.66/upload.php FR
187.138.71.226 MX
189.132.53.167 MX

Protection

The usual common sense applies: don’t click on unknown executables, nothing good will ever come out, also keep your AV up to date. Corporate users might benefit from our ReaQta-Core solution that protects sensitive data from tampering and exfiltration, keeping your infrastructure safe from malware infections and ransomware.
Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!

ReaQta