Malware Analysis Only reports : New Nemucod wave began ?

[DardiM]

I've got a free mail account to receive malware (as a potential target).

It seems to be a new Wave from Nemucod :

=> 2 malware in e-mail attachments in two days (June 22 and 23)

Each sample is different

(1) Yesterday :

unpaid-244.js :
21/55
Antivirus scan for 6c1168a040311164204e027246af1fdea909320cbe52dcaa944a8da96717db0a at 2016-06-23 13:19:24 UTC - VirusTotal

"Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely
Mabel Leon
Vice President Finance"

(2) today :

Not yet detected by my KTS, ZAM, MBAM when I received it

unpaid-0422.js :
6/55
Antivirus scan for 261cb31b69cf02a2d43aee64a15251d987df70b3f7b147c9da1504a187d599b6 at 2016-06-23 14:02:59 UTC - VirusTotal

"Velma Glenn asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Velma know if you have any questions about the contents of the report.

Kind regards

Anita Henry
Public Affairs/Public Relations Manager"

=> "attached Word document" => zip file with .js inside (easy to get suspicious at this moment )


First .js file :
var abPEad4UlK = [';'..............
................................................
..................'e','s','o','l','c','"',' ','=',' ','6','i','Y','M',' ','r','a','v']; => NOT TOO DIFFICULTY TO READ FROM THE END (reversed)
eval(abPEad4UlK["reverse"]().join(''));

Second .js file :
var aqtHDOCm = [['v','a','r',' ','M','Y','i','6',' ','=',' ','"','c','l','o','s','e',' ......... => VERY EASY TO READ FROM THE BEGIN
..............................................
.............................................
eval(aqtHDOCm.join(''));
WScript.Quit(0);
eval(stuff);

So take care, and apply what you learn on this forum

 

[DardiM]

Updated :
My KTS & ZAM (not MBAM) now detect unpaid-0422.js with last update (VirusTotal 6/55 => 21 / 56)
(click to View latest to refresh)

 

[JM Safe]

I've got a free mail account to receive malware (as a potential target).
They seems to be a new Wave from Nemucod :
=> 2 malware in e-mail attachments in two days (June 22 and 23)

Each sample is different

(1) Yesterday :

unpaid-244.js :
21/55
Antivirus scan for 6c1168a040311164204e027246af1fdea909320cbe52dcaa944a8da96717db0a at 2016-06-23 13:19:24 UTC - VirusTotal

"Thank you for your email regarding your order of 21 June, and sorry for the delay in replying. I am
writing to confirm receipt of your order, and to inform you that the item you requested will be delivered
by 25 June at the latest. If you require more information regarding this order, please do not hesitate to
contact me.

Also, our records show that we have not yet received payment for the previous order of 11 June,
so I would be grateful if you could send payment as soon as possible. Please find attached the
corresponding invoice.

If there is anything else you require, our company would be pleased to help. Looking forward to
hearing from you soon.

Yours sincerely
Mabel Leon
Vice President Finance"

(2) today :

Not yet detected by my KTS, ZAM, MBAM when I received it

unpaid-0422.js :
6/55
Antivirus scan for 261cb31b69cf02a2d43aee64a15251d987df70b3f7b147c9da1504a187d599b6 at 2016-06-23 14:02:59 UTC - VirusTotal

"Velma Glenn asked me to send you the attached Word document, which contains the final version of the report.
Please let me know if you have any trouble with the file, and please let Velma know if you have any questions about the contents of the report.

Kind regards

Anita Henry
Public Affairs/Public Relations Manager"

=> "attached Word document" => zip file with .js inside (easy to get suspicious at this moment )


First .js file :
var abPEad4UlK = [';'..............
................................................
..................'e','s','o','l','c','"',' ','=',' ','6','i','Y','M',' ','r','a','v']; => NOT TOO DIFFICULTY TO READ FROM THE END (reversed)
eval(abPEad4UlK["reverse"]().join(''));

Second .js file :
var aqtHDOCm = [['v','a','r',' ','M','Y','i','6',' ','=',' ','"','c','l','o','s','e',' ......... => VERY EASY TO READ FROM THE BEGIN
..............................................
.............................................
eval(aqtHDOCm.join(''));
WScript.Quit(0);
eval(stuff);

So take care, and apply what you learn on this forum

.js samples nowadays are growing a lot, thanks for this thread BTW.

 

[DardiM]

.js samples nowadays are growing a lot, thanks for this thread BTW.

My second sample was only 6/55 by VirusTotal (Avira /Fortinet /GData /Ikarus /Qihoo-360 /Tencent) when I made my post (fresh sample, as I was one of the targets), none of my (paid) Security tools detected it at this moment (KTS, ZAM, MBAM). In fact, only Crystal Security warned me when I ran it, after I have analysed 'manually' the sample. I thought it was interesting to inform people here that a new wave could have began

 

[jamescv7]

Javascript is another problem for AV because it can provide more easy obfuscation techniques that hides instantly from standard detection procedure.

So still AV's must improve on their claimed techniques since analysis tends to take days rather hours. (besides on HIPS, BB that will asks for user intervention)

 

[DardiM]

New version of Nemucod / Locky received by e-mail attachment (June 28)

swift b14.js
8/56 => But ZAM and KTS detect it, even if not listed
https://www.virustotal.com/en/file/...d4761f1be3f4f421e160fa55af515337ac8/analysis/

This time, a very short message

"Hi DardiM,

I am sending you the invoice you requested.

Regards
Harley Branch

Head of Maintenance"

"var afG4Jk61I2S = [';', '', '}', '', ' ', '', ';', '', ')', '', '(', '', ']',
.................................................................
.................................................................
';', '', '"', '', 'e', '', '"', '', ' ', '', '=', '', ' ', '', '6', '', 'x', '', 'H', '', 'B', '', ' ', '', 'r', '', 'a', '', 'v']; => NOT TOO DIFFICULT TO READ FROM THE END (reversed)
w = afG4Jk61I2S;
y = w.reverse();
y = y.join('');
@*/
if (w.length > 0) eval;
eval(a);
WScript["Q"+"u"+"it"](0);

Test :
...Appdata/local/temp
=> 9C8Ap20aK0
=> 9C8Ap20aK0.exe
=> clout.exe in running process
.zepto extension

See @Modal Soul post :
Virus Alert - New Locky version adds the .Zepto Extension to Encrypted Files

 

[DardiM]

Latest version received by e-mail attachment: July, 14 2016

https://www.virustotal.com/en/file/...83cc067b95e7b23f5cd9a32f895c4acc1f2/analysis/

-SWIFT-dbc-.js
Detection ratio: 25 / 55

"hi DardiM,

Here's that excel file (latest invoices) that you wanted.

Best regards,
Elnora Lowery
Chief Executive Officer"

Threat Verdict: malicious
Threat Score: 100/100
AV Detection Ratio: 36%
AV Family Name: JS:Trojan.JS.Downloader , Trojan-Downloader.JS.Agent.lph, JS/TrojanDownloader.Nemucod.AJP
Time of analysis: 2016-07-14 01:53:48
File Size (bytes): 82904
File Type: ASCII text, with CRLF, LF line terminators Contacted Domains: zachphoto.7u.cz, error.banan.cz, nicesound.biz, acepipesdeli.com.br Contacted Hosts: 77.93.211.244, 186.202.153.125

Will post a small analisys

 

[DardiM]

Done
https://malwaretips.com/threads/new...y-mail-js-trojandownloader-nemucod-ajp.61375/