Malicious JS containing Nemucod downloads Miuref/Boaxxe and fake Ransomware

NOTES:
Notice_to_Appear_00000617342.doc.js is a malicious java script masked as a Word Doc. This file was downloaded from Malwr.com and analyzed. Below is the post infection traffic and payload associated with this file. The post infection traffic and payload directory structure appears to fit the pattern of the Nemucod java script downloader infecting the computer with Miuref and Boaxxe click fraud malware.

More information about Miuref click fraud can be found at stopmalvertising.com

 

ASSOCIATED DOMAINS:

  • 130.185.72.24 – hanyson.com – GET /counter/? – Miuref/Boaxxe DOWNLOAD
  • 109.68.191.31 – GET / – POST INFECTION TRAFFIC – Miuref/Boaxxe CHECK-IN
  • 62.210.131.107 – POST INFECTION TRAFFIC – Miuref/Boaxxe CHECK-IN
  • 136.243.147.14 – HTTPS – POST INFECTION TRAFFIC
  • 43.231.58.233 – POST / – POST INFECTION TRAFFIC
  • 108.168.157.141 – 4155017659.pub.ezanga.com – POST /rva.php – POST INFECTION TRAFFIC

 

IMAGES and DETAILS:

Shown above: After execution of malicious Java Script containing Nemucod a connection is made to hanyson.com where an executable file is downloaded

 

Shown above: .exe file masked as an .png file is downloaded to start infection chain

 

Shown above: Payload and directory structure “YdPack” associated with Miuref

 

Shown above: Payload and directory structure of other downloaded files

 

Shown above: Post infection traffic possibly associated with Boaxxe

 

Shown above: Fake ransom note possibly in an attempt to download further malware

 

MALICIOUS JAVA SCRIPT AND PAYLOAD: