Nemucod, the dropped files

Yesterday I posted a blog about Cuckoo  & Nemucod. It looked like the Nemucod sample downloaded 2 files successfully, but after reading the Kahu Security write up of the same sample, stating that there were no successful downloads, I immediately had a look this morning what was in the files. Both dropped files just state an error message. One is a 403 error and the other one something to do with db not allowed.

I assumed (bad bad bad) hat something was in both files since I saw this sample download some files with interesting content last week. After a closer look the download sites seem to be either down or removed the downloadable content from their sites. Luckily malwr.com holds the submitted sample with the dropped files.

Be aware that this Nemucod downloader has a certain job id. The same file is in the wild with different JobID’s with different payloads to be downloaded. The JobID for this sample is: uDvjhoi Threathminer gives 191 results related to this sample. Probably there is not much difference between the sample other than the JobID.

So what do we have.

XhrqpFwuqG2 334 bytes   HTML document, ASCII text  -> no matches virustotal/yara

b25e30c420aee02c187f2cc3ff1f17b3a911a0bdfc2368ebeb0a7a5a82f8b319

This file contains an error message:

You don’t have permission to access /g7fb6v

g7fb6v[1].htm 511 bytes  ASCII text  -> no matches virustotal/yara

9497256e044110c051052b2fc31b3d16ed14e8233fa2f60e8ce83127b95b9ed2

This file contains an error.

require(/home/lkadz/public_html/naturesagro.com/wp-includes/functions.php): failed to open stream: No such file or directory in <b>/home/lkadz/public_html/naturesagro.com/wp-settings.php</b> on line <b>65</b><br

XhrqpFwuqG4 HTML document, ASCII text, with very long lines, with CRLF, LF line terminators  -> no matches virustotal/yara

73831709d228ae752c6d41016fff10a7caa984da7bb8edab38cfff2df5c1f4fc

Having a closer look (binwalk, atom) this is nothing more than a HTML document with some javascript in it. Nothing special though.

So no payloads 🙁 Searched the web but seems that this sample was not very successful. Probably because the sample was already end of line and well detected by most AV products.

Leave a Reply

Your email address will not be published. Required fields are marked *

two × 5 =