Nemucod, the dropped files

Yesterday I posted a blog about Cuckoo  & Nemucod. It looked like the Nemucod sample downloaded 2 files successfully, but after reading the Kahu Security write up of the same sample, stating that there were no successful downloads, I immediately had a look this morning what was in the files. Both dropped files just state an error message. One is a 403 error and the other one something to do with db not allowed.

I assumed (bad bad bad) hat something was in both files since I saw this sample download some files with interesting content last week. After a closer look the download sites seem to be either down or removed the downloadable content from their sites. Luckily holds the submitted sample with the dropped files.

Be aware that this Nemucod downloader has a certain job id. The same file is in the wild with different JobID’s with different payloads to be downloaded. The JobID for this sample is: uDvjhoi Threathminer gives 191 results related to this sample. Probably there is not much difference between the sample other than the JobID.

So what do we have.

XhrqpFwuqG2 334 bytes   HTML document, ASCII text  -> no matches virustotal/yara


This file contains an error message:

You don’t have permission to access /g7fb6v

g7fb6v[1].htm 511 bytes  ASCII text  -> no matches virustotal/yara


This file contains an error.

require(/home/lkadz/public_html/ failed to open stream: No such file or directory in <b>/home/lkadz/public_html/</b> on line <b>65</b><br

XhrqpFwuqG4 HTML document, ASCII text, with very long lines, with CRLF, LF line terminators  -> no matches virustotal/yara


Having a closer look (binwalk, atom) this is nothing more than a HTML document with some javascript in it. Nothing special though.

So no payloads 🙁 Searched the web but seems that this sample was not very successful. Probably because the sample was already end of line and well detected by most AV products.

Leave a Reply

Your email address will not be published. Required fields are marked *

20 + fifteen =