General

  • Target

    20161205_f7243bcc0d762f1d582d88f5ac30a3f1.js

  • Size

    13KB

  • Sample

    211118-raenfaddek

  • MD5

    66693ade1d8d86923589f23cc90adb67

  • SHA1

    6627d10d4eff4c466c18c30a3698074d030e5bff

  • SHA256

    d487739b5dae62175cba687c888773d3085b6003810ee9c3e7ebaccfee4c6dba

  • SHA512

    2201e4d1c7e5eaf7e061174413963e30f9e8590daa9131fa7f1aca70e1a74a68fcef0d19a1522586be15364c15420141d144e2ea8eee94d898a0163ed468446f

Malware Config

Targets

    • Target

      20161205_f7243bcc0d762f1d582d88f5ac30a3f1.js

    • Size

      13KB

    • MD5

      66693ade1d8d86923589f23cc90adb67

    • SHA1

      6627d10d4eff4c466c18c30a3698074d030e5bff

    • SHA256

      d487739b5dae62175cba687c888773d3085b6003810ee9c3e7ebaccfee4c6dba

    • SHA512

      2201e4d1c7e5eaf7e061174413963e30f9e8590daa9131fa7f1aca70e1a74a68fcef0d19a1522586be15364c15420141d144e2ea8eee94d898a0163ed468446f

    • Locky

      Ransomware strain released in 2016, with advanced features like anti-analysis.

    • Locky (Osiris variant)

      Variant of the Locky ransomware seen in the wild since early 2017.

    • suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

      suricata: ET MALWARE Nemucod JS Downloader Aug 01 2017

    • Blocklisted process makes network request

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Loads dropped DLL

    • Sets desktop wallpaper using registry

MITRE ATT&CK Matrix ATT&CK v6

Defense Evasion

Modify Registry

2
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Impact

Defacement

1
T1491

Tasks