Malicious Nemucod Javascript downloads .CRYPTED Ransomware, Kovter and more

Below are brief details of a malicious email I received on 2016-07-17 containing an attached zip file with the Nemucod javascript. I uploaded the file to hybrid-analysis.com should you wish to analyze the file yourself. It appears to be somewhat VM aware.

I will update the URL’s for the malicious downloads after I submit to Virus Total.

Email Details:
FROM: FedEx International Ground <roland.davies@t-p-o.ru> via s15.h.mchost.ru
SUBJECT: Courier was unable to deliver the parcel, ID00232349
ATTACHMENT: Label_00232349.zip

REFERENCES:
Untangling Kovter’s persistence methods
Malicious spam with zip attachments containing .js files

I have added a zipped pcap file for your analysis. The password is the usual used by malware researchers. If you do not know it please email me.
info@broadanalysis.com

PCAP file of the infection traffic:
2016-07-17-Nemucod-pcap.zip

 

ASSOCIATED DOMAINS AND IP ADDRESSES: [Pastebin of URL’s]

  • 185.98.6.167 – sportstribune.kz GET /counter/?ad= – POST INFECT TRAFFIC
  • 176.57.210.37 – gamefest.biz GET /counter/?ad= – POST INFECT TRAFFIC
  • 109.74.8.168 – www.svenskaoljeinvesteringar.se GET /counter/?ad= – POST INFECT TRAFFIC
  • 185.23.21.42 – outboxdigital.com GET /counter/?ad= – POST INFECT TRAFFIC
  • 37.140.192.44 – exkavator-kzn.ru GET /counter/?ad= – POST INFECT TRAFFIC
  • 185.118.67.195 – POST INFECT TRAFFIC
  • 217.12.208.12 – GET /1.exe – POST INFECT TRAFFIC
  • 185.109.144.15 – clothesfreesort.com POST /f78aqnQy/connect.php – POST INFECT TRAFFIC

 

IMAGES OF POST INFECTION TRAFFIC:

Shown above: Post infection HTTP traffic associated with the malicious Nemucod javascript

 

Shown above: One of many post infection downloads of executable files masked as an image file with the .png file extension

 

Shown above: Post infection download of an executable file

 

Shown above: Ransom note with de-crypt instructions for the Nemucod ransomware

 

Shown above: Files associated with Kovter click-fraud

 

Shown above: Registry file associated with file-less Kovter

 

MALICIOUS PAYLOAD ASSOCIATED WITH NEUTRINO EK:

  • 2016-07-17-vwzvizdq.dll
    C:\Windows\SysWOW64\regsvr32.exe C:\Users\%UserName%\AppData\Local\Ezttion\vwzvizdq.dll
    Virus Total Link
  • 2016-07-17-a2.exe
    C:\Users\%UserName%\AppData\Local\Ezttion\a2.exe
    Virus Total Link
  • 2016-07-17-sdkxohvh.dll
    regsvr32.exe C:\Users\%UserName%\AppData\Local\UVmedia\sdkxohvh.dll
    Virus Total Link