![\"Figure](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Notdec-1.png\")
This malicious sample (MD5 = 4B7207D5AB0DF9D6B0C650EBA0E18EE0) starts with a very long obfuscated string containing the malicious code, followed by a part of code used for the deobfuscation of the first layer, and then some junk.<\/p>\n
Once the first layer is removed, the malicious parts of code become more visible, yet they are still obfuscated:<\/p>\n This is the same sample, now fully deobfuscated:<\/p>\n This sample attempts to download a file from one of three URLs (if the first download fails, it will try the second one, and so on), saves it in the %TEMP% folder with a filename made of five\u00a0digits, followed by the extension .exe, and then silently runs it. The files hosted on these three compromised websites are\u00a0identical Locky malware, with the same MD5 signature (7905f35038e44c285a10cdefda496d7a).<\/p>\n Nothing surprising so far. However while analyzing a few more samples from this JS\/Nemucod variant, we happened to deobfuscate one that\u00a0contains only one URL, repeated three times, which links to a legitimate, noninfected, Notepad++ installer stored on the Notepad++ official website (MD5 = 3BB72C72B73583C72EAB326D8BDB83E6, a legitimate file), and downloads a legitimate file instead of a malicious sample:<\/p>\n Why would JS\/Nemucod download a legitimate Notepad++ installer?\u00a0That\u2019s the question we asked ourselves.<\/p>\n After some investigations, we managed to collect six samples detected as JS\/Nemucod.hb and containing the URL linking to the Notepad++ installer.<\/p>\n We tracked down where these samples came from. It seems that all were first submitted to VirusTotal:<\/p>\n The fact that these six samples were submitted to VirusTotal only once and in JavaScript format (not without a ZIP container) suggests they were not found in the wild nor that they were spammed.<\/p>\n Moreover, all were submitted in a very short period and via Tor. Could it be that these samples were submitted to VirusTotal by the bad guys themselves? That\u2019s one hypothesis. If that\u2019s the case, for what reason? To confuse the issue? For testing?<\/p>\n We compared each sample (especially the parts used to deobfuscate the script) with each other:<\/p>\n Sample 1:<\/strong> (MD5) 68cffdb643c25fe8f3fd6c79c4423558<\/p>\n Sample 2:<\/strong> 36ef4cbee8945b69fa04cb7e9e3f2657 (submitted to VirusTotal about two\u00a0minutes later)<\/p>\n Except for the different variable names and the junk variables (which are randomly generated for each malware sample), we do not see any differences. We can confirm that both samples were created using the same generator.<\/p>\n Sample 3:<\/strong> 15db97414972ca19a88147764bedaa81 (submitted to VirusTotal about five\u00a0minutes later)<\/p>\n The string \u201clength\u201d was obfuscated in a slightly different way. The part of code used for deobfuscation was duplicated at the end of the script.<\/p>\n Sample 4:<\/strong> eca759dcabec66377ec21fa62d92709e (submitted to VirusTotal about two\u00a0minutes later)<\/p>\n The variable q1 now concatenates four strings instead of six.<\/p>\n Sample 5:<\/strong> 754d333f8c06085ebb3e32701a5be584 (submitted to VirusTotal about seven\u00a0minutes later)<\/p>\n The variable q1 again concatenates six strings.<\/p>\n Sample 6:<\/strong> 037b04cc520ddb37bbfa1e535e39339a (submitted to VirusTotal less than two minutes later)<\/p>\n Variable q1 now concatenates four strings. Some characters (C and A) in the obfuscated string \u201ccharAt\u201d are now in uppercase. Moreover, the duplicated part of code added at the end of the script was removed.<\/p>\n We noticed that the obfuscations used in various JS\/Nemucod versions\u00a0are modified daily before being spammed, in an attempt to bypass antimalware detection. However, we have never seen so many minor modifications in such a short time, so these six samples must have been submitted to VirusTotal for testing purposes, most likely by the bad guys behind JS\/Nemucod.<\/p>\n Why did the malware developers use a real URL downloading a legitimate file for their tests when\u00a0they could have used fakes?<\/p>\n Why did they download an installer instead of another (smaller) executable file?<\/p>\n Why did they download a Notepad++ installer rather than some other?<\/p>\n JS\/Nemucod is the detection name given to a family of malicious JavaScript downloaders that\u00a0have appeared in\u00a0spam campaigns since last year….<\/p>\n","protected":false},"author":836,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[925],"class_list":["post-49785","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"\n![\"Figure](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-halfdec-1.png\")
![\"Figure](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-dec.png\")
![\"Figure](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-hbnotepaddec.png\")
Here are their MD5 signatures:<\/h2>\n
\n
![\"Why-would-JS-VT\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-VT-e1463759944666.png\")
<\/p>\nThey had more in common. All were submitted:<\/h2>\n
\n
![\"Why-would-JS-Diff1\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff1.png\")
<\/p>\n![\"Why-would-JS-Diff2\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff2.png\")
<\/p>\n![\"Why-would-JS-Diff3\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff3.png\")
<\/p>\n![\"Why-would-JS-Diff4\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff4-e1463760615134.png\")
<\/p>\n![](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff5-e1463760765287.png\")
<\/p>\n![\"Why-would-JS-Diff6\"](\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/Why-would-JS-Diff6.png\")
<\/p>\n\n
\n
\n