Home / malwarePDF  

JS/Nemucod


First posted on 30 March 2016.
Source: Microsoft

Aliases :

There are no other names known for JS/Nemucod.

Explanation :

Installation
Threats belonging to the Nemucod family are malicious obfuscated JavScript (JS) files which are zipped and attached to spam emails. We have seen the following attachments detected as Nemucod variants:

  • Invoice_ref-.zip (for example Invoice_ref-06977496.zip) - detected as TrojanDownloader:JS/Nemucod
  • foto.zip - detected as TrojanDownloader:JS/Nemucod.AT
  • Gilberto_Bond.zip - detected as TrojanDownloader:JS/Nemucod.AR
  • 8221261_notice_to_appear_000986189.zip - detected as TrojanDownloader:JS/Nemucod.P


The text of the email will instruct you to open the attachment which it claims is an invoice, passport, or some other official document.

Payload

Connects to a remote host

We have seen this threat connect to a remote host, including:
  • sahasafe.com using port 80
  • ohelloweuqq.com
  • thisisitsqq.com
  • hpalsowantsff.com
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker


Downloads files, including other malware

We have seen different variants download files, including:
  • office.exe (detected as TrojanSpy:Win32/Ursnif.HP)
  • 69.exe (detected as Ransom:Win32/Tescrypt)
  • 87.exe (detected as Ransom:Win32/Tescrypt)


The URLs it connects to include the following:
  • hpalsowantsff.com
  • ohelloweuqq.com
  • thisisitsqq.com
  • zahasafe.com/systs


Ransom:Win32/Tescrypt is a ransomware malware, and can encrypt files on your PC and demand payment. See the family description Win32/Tescrypt for more information.

We have seen other variants of Nemucod download a variety of malware, including Fareit, which attempts to steal your passwords and personal information, Ursnif, which records information about you and your PC, and other ransomware families inlcuding Crowti.



Analysis by Mihai Calota

Last update 30 March 2016

 

TOP

Malware :