General

  • Target

    20161205_03476173ef9fdec7e5270dc7d87933f0.js

  • Size

    13KB

  • Sample

    211117-nms5tahbam

  • MD5

    57198c88a70079fdecbdcdaf3fca251f

  • SHA1

    f9eec46611e7eb0d78e550a22e1975a896314032

  • SHA256

    b89fdbbe855d6491565249508472f2eff89733cf370f49725228a13ac2e69d61

  • SHA512

    0374dfbb69762b749b45e19063cb7f2f6ed261f89160b333ab2f50710c965e5cdccee2cdb3ff4d22a2be079f8f6b5ae95b32fe442e1ebbc576c8bbe61abe4274

Malware Config

Targets

    • Target

      20161205_03476173ef9fdec7e5270dc7d87933f0.js

    • Size

      13KB

    • MD5

      57198c88a70079fdecbdcdaf3fca251f

    • SHA1

      f9eec46611e7eb0d78e550a22e1975a896314032

    • SHA256

      b89fdbbe855d6491565249508472f2eff89733cf370f49725228a13ac2e69d61

    • SHA512

      0374dfbb69762b749b45e19063cb7f2f6ed261f89160b333ab2f50710c965e5cdccee2cdb3ff4d22a2be079f8f6b5ae95b32fe442e1ebbc576c8bbe61abe4274

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Locky (Osiris variant)

      Variant of the Locky ransomware seen in the wild since early 2017.

    • suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

      suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks