2017-07-18 - NEMUCODAES RANSOMWARE

NOTICE:

ASSOCIATED FILES:

  • 2017-07-18-1st-run-NemucodAES-ransomware-traffic.pcap   (6,878,218 bytes)
  • 2017-07-18-2nd-run-NemucodAES-ransomware-traffic.pcap   (3,513,944 bytes)
  • 2017-07-17-UPS-themed-malspam-1840-UTC.eml   (3,723 bytes)
  • 2017-07-18-UPS-themed-malspam-1212-UTC.eml   (3,781 bytes)
  • 2017-07-18-1st-run-NemucodAES-PHP-script-retrieved-from-infected-host.txt   (64,453 bytes)
  • 2017-07-18-1st-run-NemucodAES-decryption-instructions.hta   (1,705 bytes)
  • 2017-07-18-1st-run-NemucodAES-javascript-returned-from-laurel.net.au.txt   (148,574 bytes)
  • 2017-07-18-2nd-run-NemucodAES-PHP-script-retrieved-from-infected-host.txt   (64,419 bytes)
  • 2017-07-18-2nd-run-NemucodAES-decryption-instructions.hta   (1,705 bytes)
  • 2017-07-18-2nd-run-NemucodAES-javascript-returned-from-xn--80aaumty_xn--p1ai.txt   (148,565 bytes)
  • UPS-Parcel-ID-4563806.doc.js   (1,820 bytes)
  • UPS-Parcel-ID-4563806.zip   (1,516 bytes)
  • UPS-Receipt-05395337.doc.js   (1,802 bytes)
  • UPS-Receipt-05395337.zip   (1,504 bytes)

RELATED BLOG POSTS:

TODAY'S NOTES:

 

EMAILS


Shown above:  Screenshot from an email (1 of 2).

 


Shown above:  Screenshot from an email (2 of 2).

 

EMAIL HEADERS:

 


Shown above:  Traffic from the 1st pcap filtered in Wireshark.

 

TRAFFIC


Shown above:  Traffic from the 2nd pcap filtered in Wireshark.

 

PARTIAL URLS RECOVERED FROM THE .JS FILES:

ONION DOMAINS FROM THE DECRYPTION INSTRUCTIONS:

 

FILE HASHES

ZIP ATTACHMENTS:

EXTRACTED .JS FILES:

 

IMAGES


Shown above:  Example of artifacts from an infected host.

 


Shown above:  File name extensions for the encrypted files do not change.

 


Shown above:  Decryption instructions from the 1st infection.

 


Shown above:  Decryption instructions from the 2nd infection.

 


Shown above:  You don't get anything more unless you pay the ransom.

 

Click here to return to the main page.