Advissa Ludvinka sends me Nemucod

-> Will update along debugging. Javascript is heavily scrambled so not that easy to read.

Out of curiosity I decided to have a better look at an attachment that came with a spam message this week. The message has no written content and a subject “Receipt 7068-586205”

Apparently the mail was sent from a mailserver in Saudi Arabia. A total spam score of 130 seems to be not enough to pass the message to my inbox.

From – Sat Oct 08 16:11:10 2016
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:
Return-Path: <alissa.ludvinka@gmail.com>
Delivered-To: bart@bartdecker.nl
Received: from xxxxxx.nl
by xxxxxx.nl (Dovecot) with LMTP id WD6tC6pA9le+cQAAEaLD6Q
for <bart@bartdecker.nl>; Thu, 06 Oct 2016 14:23:59 +0200
Return-path: <alissa.ludvinka@gmail.com>
Envelope-to: bart@bartdecker.nl
Delivery-date: Thu, 06 Oct 2016 14:23:59 +0200
Received: from [172.80.212.249] (port=18241)
by xxxxxxxxx with esmtp (Exim 4.87)
(envelope-from <alissa.ludvinka@gmail.com>)
id 1bs7iQ-0003wp-JI
for bart@bartdecker.nl; Thu, 06 Oct 2016 14:23:59 +0200
Message-ID: <2987b8b6.3ab41d91.19cce.d9ef@mx.google.com>
Date: Thu, 06 Oct 2016 15:53:51 +0430
X-Google-Original-Date: Thu, 06 Oct 2016 15:53:51 +0430
MIME-Version: 1.0
From: alissa.ludvinka@gmail.com
To: bart@bartdecker.nl
Subject: Receipt 7068-586205
Content-Type: multipart/mixed;
boundary=–boundary_117_28089751-6289-1a9f-c770-0c20fb9c6442
X-Original-To: bart@bartdecker.nl
SPFCheck: Soft Fail, 30 Spam score
ReverseDNS: No reverse DNS for mailserver at 172.80.212.249, +100 Spam score
SpamTally: Final spam score: 130

Now the attachment. Uploading it to virustotal gives me 31/54 detections with results ranging from JS:Trojan.JS.Nemucod.DA to HEUR/Suspar.gen. In general, most detections refer to a trojan called Nemucod. Probably no coincidence finding a blog post on welivesecurity with the title “” Nemucod is back and servering an ad-clicking backdoor instead of ransomeware”

From reading I learn that Nemucod is the downloader for the actual Trojan called Win32/Kovter. In the comments at welivesecurity I read that aside of downloading Win32/Kovter, it still encrypts files.

So let’s have a closer look in a lab environment. The “Receipt” attachment is a ZIP file which contains a windows script file (WSF) named 6562871224.wsf

You can check binary files using a tool called binwalk.

 binwalk

So let’s extract the zip file and move the extracted file over to an isolated Windows 7 machine.

Will add to this when analysis progresses ->

TW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgNi4wOyBXaW5kb3dzIE5UIDUuMCk=

Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

Pages that seem to hold files to download ->

keygamepc.com 103.7.41.178
kv6j.net 69.161.143.154
naturesagro.com 184.154.142.202
drsearscoach.com 23.235.217.84
stenokeid.org
oofyming.com
veddanagor.net

 

dump /\

Some functions

global
Maze, abbida, efioppocsonny5achievment, efioppocsonny5lololosh, efioppocsonnyEmptyVara, efioppocsonnyREPONAFT, unpack

«dirs»()

«shuffle»(array)

parameter
array
variable
counter

«random»(array)

parameter
array
variable
element, i

«Zhido»(a1a, b2b)

parameter
a1a, b2b

unpack(xs)

parameter
xs

efioppocsonny5achievment(efioppocsonny5bidttt)

parameter
efioppocsonny5bidttt

Leave a Reply

Your email address will not be published. Required fields are marked *

seventeen − nine =