Yesterday I posted a blog about Cuckoo & Nemucod. It looked like the Nemucod sample downloaded 2 files successfully, but after reading the Kahu Security write up of the same sample, stating that there were no successful downloads, I immediately had a look this morning what was in the files. Both dropped files just state an error message. One is a 403 error and the other one something to do with db not allowed.
I assumed (bad bad bad) hat something was in both files since I saw this sample download some files with interesting content last week. After a closer look the download sites seem to be either down or removed the downloadable content from their sites. Luckily malwr.com holds the submitted sample with the dropped files.
Be aware that this Nemucod downloader has a certain job id. The same file is in the wild with different JobID’s with different payloads to be downloaded. The JobID for this sample is: uDvjhoi Threathminer gives 191 results related to this sample. Probably there is not much difference between the sample other than the JobID.
So what do we have.
XhrqpFwuqG2 334 bytes HTML document, ASCII text -> no matches virustotal/yara
This file contains an error message:
You don’t have permission to access /g7fb6v
g7fb6v.htm 511 bytes ASCII text -> no matches virustotal/yara
This file contains an error.
require(/home/lkadz/public_html/naturesagro.com/wp-includes/functions.php): failed to open stream: No such file or directory in <b>/home/lkadz/public_html/naturesagro.com/wp-settings.php</b> on line <b>65</b><br
XhrqpFwuqG4 HTML document, ASCII text, with very long lines, with CRLF, LF line terminators -> no matches virustotal/yara
So no payloads 🙁 Searched the web but seems that this sample was not very successful. Probably because the sample was already end of line and well detected by most AV products.