{"id":19517,"date":"2016-08-16T12:36:39","date_gmt":"2016-08-16T18:36:39","guid":{"rendered":"https://www.webroot.com/blog/?p=19517"},"modified":"2018-01-30T12:31:01","modified_gmt":"2018-01-30T19:31:01","slug":"nemucod-ransomware-analysis","status":"publish","type":"post","link":"https://www.webroot.com/blog/2016\/08\/16\/nemucod-ransomware-analysis\/","title":{"rendered":"Nemucod Ransomware Analysis"},"content":{"rendered":"<p>Today, we&#8217;ll look at yet another variant in the massive crop of malware that takes users&#8217; files hostage: Nemucod ransomware.<\/p>\n<p>Nemucod is a ransomware which changes file names to *.crypted. While it&#8217;s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but\u00a0one constant has remained the same &#8211; it is deployed via bogus shipping invoice spam email. The Javascript initially received in a spam email downloads malware and encryption components stored on compromised websites. Because this ransomware is written in a scripting language, it&#8217;s easily to modify and re-deploy. This has, for a majority, bypassed antivirus protection and spam email protection. However, a flaw was found in the encryption routine,which allows victims to recover their files.<\/p>\n<ul>\n<li>January 2016: Nemucod changes file names to &#8220;.crypted&#8221; but does not actually encrypt them<\/li>\n<li>March 2016: Adds XOR encryption using a 255 byte key contained in a downloaded executable. This downloaded executable encrypts the first <strong>2048<\/strong> bytes of a file<\/li>\n<li>April 2016: 7-Zip used instead which created an archive to password protect files<\/li>\n<li>April 2016: Instead of a hardcoded key, the Javascript generates a key and passes it as an argument to the downloaded executable and performs the\u00a0encryption of\u00a0the first <strong>1024 <\/strong>bytes of each targeted file<\/li>\n<li>May 2016: A small change is added to the previous build, which encrypts <strong>2048<\/strong> bytes instead of <strong>1024<\/strong> bytes<\/li>\n<li>June &#8211; August 2016: A <strong>PHP<\/strong> script is used along with a PHP interpreter to encrypt the first <strong>1024<\/strong> bytes of a file<\/li>\n<\/ul>\n<p><strong>Email Example:<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignleft\" src=\"\/\/i.imgur.com\/0l2sNqH.png\" width=\"474\" height=\"284\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n<p>After opening the spam email attachment, you can see that the file located inside is a Javascript file cleverly disguised as a &#8220;.doc&#8221;. The file appears to be a .doc for users with the folder option setting &#8220;hide extensions for known file types&#8221; enabled.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone\" src=\"\/\/i.imgur.com\/UOAAF9e.png\" width=\"598\" height=\"88\" \/><\/p>\n<p><strong>Javascript Analysis:<\/strong><\/p>\n<p>Upon first opening the sample, it is heavily obfuscated; this is by design to thwart AV analysis and static detection<\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19585 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java.png\" alt=\"Nemucod Java\" width=\"1780\" height=\"232\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java.png 1780w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java-768x100.png 768w\" sizes=\"(max-width: 1780px) 100vw, 1780px\" \/><\/a><\/p>\n<p>After de-obfuscating the script, I found that several compromised domains are used to store multiple files to be used later on in the execution routine. Of the downloaded files, we can see that two (a1.exe and a2.exe) are designed as a backdoor on the system. a1.exe is usually W32.Kovter and a2.exe is usually W32.Boaxxe. Since PHP is not installed natively on the Windows OS, the 3rd and 4th files downloaded (a.exe and php4ts.dll) are part of a portable PHP interpreter which allows the ransomware (a.php &#8211; 5th file downloaded) the ability to run.<\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java-2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19587 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java-2.png\" alt=\"Nemucod Java 2\" width=\"1750\" height=\"918\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java-2.png 1750w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java-2-768x402.png 768w\" sizes=\"(max-width: 1750px) 100vw, 1750px\" \/><\/a><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java-3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19589 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Java-3.png\" alt=\"Nemucod Java 3\" width=\"1389\" height=\"818\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java-3.png 1389w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Java-3-768x452.png 768w\" sizes=\"(max-width: 1389px) 100vw, 1389px\" \/><\/a><\/p>\n<p><strong>Analysis of a.php:<\/strong><\/p>\n<p>We at first saw several samples of a.php written in plain text without obfuscation, but\u00a0the developers changed this quickly to thwart static detection techniques. The obfuscation techniques below use chr() to encode each as a number specified in ASCII, while also using array() to store the php script in a list of array values.<\/p>\n<p><strong>Examples of Obfuscated ransomware variants:<\/strong><\/p>\n<p><em>chr()<\/em><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-chr.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19591 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-chr.png\" alt=\"Nemucod chr\" width=\"1829\" height=\"175\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-chr.png 1829w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-chr-768x73.png 768w\" sizes=\"(max-width: 1829px) 100vw, 1829px\" \/><\/a><\/p>\n<p>To de-obfuscate, I converted all of the chr values to ascii characters and finally decoded base 64 stored to get the original script.<\/p>\n<p><em>Array()<\/em><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Array.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19593 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-Array.png\" alt=\"Nemucod Array\" width=\"1454\" height=\"243\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Array.png 1454w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-Array-768x128.png 768w\" sizes=\"(max-width: 1454px) 100vw, 1454px\" \/><\/a><\/p>\n<p>To de-obfuscate, I echoed the output of implode for all of the arrays (and removed eval) using the following at the end of the script:<\/p>\n<p><strong>;echo implode($f,&#8221;); ?&gt;<\/strong><\/p>\n<p><strong>De-obfuscated:<\/strong><\/p>\n<p><a href=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-php.png\"><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-19595 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/08\/Nemucod-php.png\" alt=\"Nemucod php\" width=\"816\" height=\"571\" srcset=\"https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-php.png 816w, https:\/\/blog-en.webroot.com\/wp-content\/uploads\/2016\/08\/Nemucod-php-768x537.png 768w\" sizes=\"(max-width: 816px) 100vw, 816px\" \/><\/a><\/p>\n<p>The PHP script first uses &#8220;set_time_limit(0);&#8221; to keep the interpreter running.<\/p>\n<p>A recursive <strong>Tree <\/strong>function is used with <strong>preg_match<\/strong> to match folders:<\/p>\n<p><em>winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache <\/em><\/p>\n<p>If a match is found, the script opens the directory and checks for more directories using <em><strong>is_dir<\/strong><\/em>;<em><strong>\u00a0<\/strong><\/em>if a directory is found, it runs <strong>TREE <\/strong>again, which continues the loop to check if the object is a folder or a file.<\/p>\n<p>Once a file is found, it uses preg_match again to match its file extension:<\/p>\n<p><em>zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso<\/em><\/p>\n<p>Once a file matching the file extensions above is found, it stores that file name and path as the variable &#8220;$fp&#8221; and a new variable is made &#8220;$x&#8221; which uses the function <strong>fread<\/strong>.<\/p>\n<p><span class=\"function\"><strong>fread()<\/strong><\/span> reads up to <code class=\"parameter\">length<\/code> bytes from the file pointer referenced by <code class=\"parameter\">handle<\/code>.<\/p>\n<p>After reading the first 1024 bytes of a file, a for loop is used with <strong>strlen<\/strong> and the variable $k (a base 64 string) to encrypt the files.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>If you have found yourself a victim of this ransomware, please <a href=\"https:\/\/detail.webrootanywhere.com\/servicewelcome.asp\">submit a support ticket<\/a>.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Today, we&#8217;ll look at yet another variant in the massive crop of malware that takes users&#8217; files hostage: Nemucod ransomware. Nemucod is a ransomware which changes file names to *.crypted. While it&#8217;s not a brand new variant, a lot has changed in the last few months, and different methods have been used, but\u00a0one constant has [&hellip;]<\/p>\n","protected":false},"author":65,"featured_media":18469,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[3005],"tags":[],"yst_prominent_words":[5477,5467,19967,19969,19975,5469,19963,5473,12677,3619,19965,3483,19977,5471,4469,19971,15933,3937,5475,19973],"acf":[],"_links":{"self":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19517"}],"collection":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/users\/65"}],"replies":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/comments?post=19517"}],"version-history":[{"count":20,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19517\/revisions"}],"predecessor-version":[{"id":19601,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/posts\/19517\/revisions\/19601"}],"wp:featuredmedia":[{"embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media\/18469"}],"wp:attachment":[{"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/media?parent=19517"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/categories?post=19517"},{"taxonomy":"post_tag","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/tags?post=19517"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https://www.webroot.com/blog/wp-json\/wp\/v2\/yst_prominent_words?post=19517"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}