Malicious Nemucod Java Script downloads .CRYPTED Ransomware, Kovter and more

NOTES:
Court_Notification_000133670.js is a malicious Nemucod java script. Along with click-fraud malware, my computer was also infected with .CRYPTED Ransomware and the fileless trojan Kovter. In March 2016 emsisoft.com released a decrypter for .CRYPTED Ransomware. The decrypter was downloaded and attempts to generate the decryption key was unsuccessful.

A post on April 14th 2014  “Malicious JS containing Nemucod downloads Miuref/Boaxxe and fake Ransomware” shows similiar URI traffic structures and patterns along with similiar file system directory structures.

ASSOCIATED DOMAINS:

  • 92.38.227.4 – luchgallery.com – GET /counter/?adMALICIOUS PAYLOAD DOWNLOAD’S
  • 109.68.191.31 – GET / – POST INFECTION TRAFFIC
  • 93.190.142.63 – wvsearch.com – GET /clk4?d – POST INFECTION TRAFFIC
  • 46.101.173.32 – POST / – POST INFECTION TRAFFIC

DECRYPTER DOWNLOAD URL’S:

  • http://luchgallery.com/counter/?a=
  • http://megakomfort.by/counter/?a=
  • http://televidriera.com.ar/counter/?a=
  • http://www.wizardforli.it/counter/?a=
  • http://creative-win.com/counter/?a=

 

IMAGES and DETAILS:

Shown above: Execution of malicious java script downloaded four executable files to start infection chain

 

Shown above: One of the executable files downloading masked as a .png image file

 

Shown above: Post infection traffic associated with click-fraud. Payload identified by anti-virus vendors as Miuref/Boaxxe

 

Shown above: Encrypted image files with the .crypted file extension

 

Shown above: Nemucod .CRYPTED ransom note

 

Shown above: Payload file system directory structure

 

Shown above: Fileless Kovter registry entry with some known patterns

 

MALICIOUS JAVA SCRIPT AND PAYLOAD: