2017-07-10 - KOVTER AND NEMUCOD RANSOMWARE INFECTION

NOTICE:

ASSOCIATED FILES:

  • 2017-07-10-Nemucod-ransomware-and-Kovter-infection-traffic.pcap   (8,338,159 bytes)
  • 15FEWz6pAjz1k2pNFtGLHddjxHq2G8LmjK.bmp   (333,118 bytes)
  • 15FEWz6pAjz1k2pNFtGLHddjxHq2G8LmjK.doc   (10,260 bytes)
  • 15FEWz6pAjz1k2pNFtGLHddjxHq2G8LmjK.exe   (68,096 bytes)
  • 15FEWz6pAjz1k2pNFtGLHddjxHq2G8LmjK.php   (78,151 bytes)
  • 15FEWz6pAjz1k2pNFtGLHddjxHq2G8LmjK2.exe   (484,527 bytes)
  • 2017-07-09-Kovter-Nemucod-malspam-1439-UTC.eml   (3,998 bytes)
  • 2017-07-10-Kovter-Nemucod-malspam-1020-UTC.eml   (3,784 bytes)
  • 2017-07-10-www.shisashop_com-domiains-shaishopcom-counter.txt   (178,675 bytes)
  • DECRYPT.hta   (1,551 bytes)
  • UPS-Delivery-01049711.doc.js   (1,738 bytes)
  • UPS-Delivery-01049711.zip   (1,491 bytes)
  • UPS-Parcel-ID-003634085.doc.js   (1,715 bytes)
  • UPS-Parcel-ID-003634085.zip   (1,478 bytes)
  • c2556.bat   (67 bytes)
  • e2c39.733a25   (15,593 bytes)

RELATED BLOG POSTS:

NOTES:

 

EMAILS


Shown above:  Screenshot from an emails (1 of 2).

 


Shown above:  Screenshot from an emails (2 of 2).

 

EMAIL HEADERS:

 


Shown above:  Extracted .js file from the attached zip archive on 2017-07-10.

 

TRAFFIC


Shown above:  Traffic from an infection on 2017-07-10 filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES AND DECRYPTION INSTRUCTIONS:

KOVTER POST-INFECTION TRAFFIC:


Shown above:  Post-infection traffic is similar to what we've seen before with Kovter.

 

FILE HASHES

SHA256 HASHES FOR THE ASSOCIATED MALWARE:

 

IMAGES


Shown above:  An example of post-infection artifacts noted on the infected hosts.

 


Shown above:  Other artifacts consistent with a Kovter infection.

 


Shown above:  As with other Kovter infections, the associated Windows registry key cannot be viewed.

 


Shown above:  For systems that didn't have MSVCR110.DLL, the Nemucod ransomware didn't work.

 


Shown above:  After I ensured the MSVCR110.DLL file was on the sytem, the infected Windows host also had a full Nemucod ransomware infection.

 


Shown above:  Ransomware drecryption instructions from the infected Windows host.

 

Click here to return to the main page.