Shulou(Shulou.com)05/31 Report--

This article introduces what the new JSNEMUCOD virus sample analysis report is like, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Overview of 0x00 events

Recently, AsiaInfo Security intercepted a new scripting virus, JS/NEMUCOD, which evades detection by antivirus software through confusion and encryption, and spreads through network shared and removable disks. The JS/NEMUCOD script virus also has malicious behaviors such as collecting information about infected computers and deleting files in the system. AsiaInfo Security named it TrojanSpy.JS.NEMUCOD.BONING.

0x01 event analysis

The sample is a confused JS script, and the original landing sample file (shell.jse) contains the following:

The sample after decryption and confusion is as follows:

The main malicious acts of the sample are as follows:

It will link to the following URL to send and receive data.

It collects the following data from the system:

Current system process list computer user name computer domain name computer system version

The virus has the ability to spread, and if it fails to download a file on its own ClearC server, it will look for a file with the following extension in the network share and removable drive, delete the file, and replace the deleted file with its own copy:

.doc.xls.pdf.rtf.pub.odt.ods.odp.odc.odb.txt.odm

It has the ability of anti-debugging, and if it is found that there are anti-virus software, debugging tools and specific strings on the system, it will automatically terminate its own operation.

There are the following processes in memory:

Anti-virus.EXElordPE.exeB.exeiexplore.exeProxifier.exectfmon.exeAgentSimulator.exeVzService.exeVBoxTray.exegemu-ga.exeBennyDB.exewindanr.exe

The following debugging tools exist in the system:

ProcmonWiresharkProcessHackervmtoolsdVBoxServiceImmunityDebuggerBehaviorDumperPROCMONprocexptcpdumpFrzState2kDFLocker64vmwareLOGService.exe

The following string exists in the system environment:

VmRemoteGuestSystemIT | adminWIN7-TRAPSEmilymilozsJohnsonHAPUBWSPeter WilsonHong Lee

It deletes itself after execution.

0x02 solution

1. Do not click on emails and attachments from unknown sources

2. Do not click on the link contained in the email of unknown source

3. Use strong passwords, avoid using weak passwords, and change passwords regularly.

4. Open the automatic update of the system and detect the update for installation

5. Try to turn off unnecessary file sharing.

6. please pay attention to backing up important documents. The best practice for backup is to adopt the 3-2-1 rule, that is, to make at least three copies, save them in two different formats, and store the copies offsite.

0x03 correlation analysis (no file mining virus)

The JS/NEMUCOD virus first appeared in 2016, when the Nemucod Trojan was malware that disguised itself as a secure file. These files can be downloaded from unsecured web pages or spread through spam attachments that contain JavaScript code that downloads and runs executables of the Nemucod virus. In the era of blackmail virus "flying all over the sky", Nemucod naturally has a relationship with blackmail virus. For example, the well-known Locky blackmail virus used JS/Nemucod to download and spread.

Recently, AsiaInfo Security found that the relevant information of this sample (or similar sample) appears on Pastebin. Pastebin is a web application in which users store plain text. In recent years, hackers often use this application to place backdoor scripts. Because it is very convenient to download and read content, you only need to download and read the corresponding content through a fixed url.

The previously popular virus that uses powershell for file-free mining takes advantage of this feature, only need to put the script on this website, and then download it to memory remotely through the command of powershell through fixed url to implement its malicious behavior. However, these commands are usually spread in the intranet by using weak passwords or vulnerabilities such as MS17-010, so it is particularly important to strengthen the security management of computers. Similarly, we do not rule out the possibility of further transmission of the virus through powershell in the future.

IOCs

MD5

Sample name MD5 AsiaInfo Security Inspection name Shell.jsee6adc360a1c095f8ed1e53e5c90d467461d24578TrojanSpy.JS.NEMUCOD.BONING

URL

Https://185[.]159[.]82[.]15/hollyhole/c644[.]php

Https://185.159.82.20/t-34/x644.php

On the new JSNEMUCOD virus sample analysis report is shared here, I hope that the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.