After one such developer, going by the name jsworm, announced Nemty on underground forums, we noted how the ransomware was not well received by some users in the criminal community. Certain sectors of that forum started to rebuke jsworm for technical decisions made about the functions in the ransomware, as well as the encryption mechanism used.<\/p>\n
Jsworm replied to all the comments, adding evidence about how the critical statements made were wrong and showcased the value of their new versions. They also fixed some ugly bugs revealed by users in the forum:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/forum-post.png\")
<\/p>\n
One of the users in the forum highlighted a function for how Nemty detects extension dupes in a system, which needed to be re-written by the author:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/extension-dupes.png\")
<\/p>\n
Despite the shortcomings in their ransomware, the Nemty developers are still in the underground forum, releasing new samples and infecting users through their affiliate program.<\/p>\n
Telemetry<\/h2>\n
Based on our telemetry, we have seen Nemty activity in these locations:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/telemtry.png\")
<\/p>\n
FIGURE 1. Telemetry Map<\/p>\n
Nemty Technical Analysis<\/h2>\n
Nemty runs on a Ransomware-as-a-Service (RaaS) model. We\u2019ve observed it being delivered using:<\/p>\n
- \n
- RIG Exploit Kit in September 2019<\/li>\n
- Paypal dummy sites<\/li>\n
- RDP attacks through affiliates in their campaigns<\/li>\n
- Botnet: Distributed through Phorpiex botnet in November 2019<\/li>\n
- Loader: SmokeBot<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-announcement.png\")
<\/p>\nFIGURE 2. Nemty ransomware announcement<\/p>\n
In the release announcement the Nemty developers offered two types of collaboration: affiliation or private partnership. We found two aliases advertising Nemty, one of which is jsworm, who is quite active in the forums and announces all the news and updates there.<\/p>\n
This is the timeline of the operations performed by the Nemty crew:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/nemty-timeline.png\")
<\/p>\nWe observed how the Nemty developers adopted some characteristics from other old ransomware families like the defunct Gandcrab. One example of this is the reuse and reference to a URL that leads to an image featuring Russian text and a picture of the Russian president, like Gandcrab had in its code.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-image.png\")
<\/p>\nFIGURE 3. Hardcoded URL inside the Nemty ransomware pointing to the same image as GandCrab<\/p>\n
The Nemty authors released different versions of their ransomware. In this research article we will highlight how the first version works and the significant changes added in subsequent versions.<\/p>\n
Hash:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 505c0ca5ad0552cce9e047c27120c681ddce127d13afa8a8ad96761b2487191b<\/p>\n
Compile Time:\u00a0 \u00a0 2019-08-20 19:13:54<\/p>\n
Version:\u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 \u00a0 1.0<\/p>\n
The malware sample is a 32-bit binary. The packer and malware are written in the C\/C++ language as the author announced on the underground forum.<\/p>\n
The compilation date in the PE header is the 20th of August 2019.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/EXEinfo-image.png\")
<\/p>\nFIGURE 4. EXEInfo Image<\/p>\n
Nemty uses RunPE in execution, meaning it unpacks in memory before execution.<\/p>\n
Analyzing the sample, we could find how the developer added certain protections to their code, such as:<\/p>\n
- \n
- Decrypting certain information in the memory only if the encryption process is working as planned<\/li>\n
- Clearing the memory after finishing some operations<\/li>\n
- Information sharing between different memory addresses, cleaning the previous memory space used<\/li>\n<\/ul>\n
Ransomware Note Creation Process<\/h2>\n
In order to create the ransomware note, Nemty takes each string and saves it into memory. When the ransomware compiles all the required strings it will join them together to create the entire ransomware note. In this operation, Nemty will decrypt line by line, moving the data to another memory address and cleaning the previous one to leave the information only in the new memory space.<\/p>\n
For the first version of Nemty, the encryption method was not applied consistently to all the strings, which is why it is possible to see some strings and spot part of the functionalities or juicy files from them.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/clear-strings-in-Nemty.png\")
<\/p>\nFIGURE 5. Clear strings in Nemty<\/p>\n
Nemty and the Logical Units<\/h2>\n
In execution, Nemty will check all the logical units available in the system, saving the information about them in a static list with the following information:<\/p>\n
- \n
- Type of unit<\/li>\n
- Available free space<\/li>\n<\/ul>\n
Through the use of the Windows API, \u2018GetDriveTypeA\u2019, the ransomware will differentiate units between:<\/p>\n
- \n
- Removable<\/li>\n
- Fixed<\/li>\n
- Network<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/checking-the-type-of-logic-units.png\")
<\/p>\nFIGURE 6. Checking the type of logic units<\/p>\n
To check the free space available in the system, Nemty will use \u201cGetDiskFreeSpaceExA\u201d, again through the Windows API:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/checking-free-disk-space.png\")
<\/p>\nFIGURE 7. Checking free disk space<\/p>\n
Extracting Public IP Address from the Victim<\/h2>\n
Since the first version, Nemty has implemented a functionality to extract the public IP address of the victim. The information is extracted through a request to the IPIFY service at http:\/\/api.ipify.org<\/a>. These types of services are frequently used by RaaS to check the location where the victim was infected.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-getting-public-IP.png\")
<\/p>\nFIGURE 8. Nemty getting the public IP<\/p>\n
The User-agent for some of the Nemty versions was the \u2018Chrome\u2019 string. The user-agent is hardcoded as a single string in the ransomware instead of using an original user-agent.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/getting-victim-IP.png\")
<\/p>\nFIGURE 9. Getting the IP address of the victim machine<\/p>\n
The IPIFY service is used to retrieve the public IP address of the victim and, with the extracted data, Nemty makes another connection to http:\/\/api.db-api.com\/v2\/free\/countryName using the data previously obtained as an argument. The extracted IP address and country data is used later used as a part of the ransomware note creation.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/country-name-strings.png\")
<\/p>\nFIGURE 10. Getting the country name strings based on the IP address<\/p>\n
Victim Information Extraction<\/h2>\n
Nemty will extract the following information from the victim:<\/p>\n
- \n
- Username\n
- \n
- Using the windows API GetUserNameA<\/li>\n<\/ul>\n<\/li>\n
- Computer name\n
- \n
- Using the windows API GetComputerNameA<\/li>\n<\/ul>\n<\/li>\n
- Hardware profile\n
- \n
- Using the windows API GetCurrentHwProfileA<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
With this data, the authors ensure that the infected victim is unique, which helps the RaaS operators quantify how many victims they were able to infect themselves or through the use of affiliates.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/getting-user-data.png\")
<\/p>\nFIGURE 11. Get Username, Computer Name and Hardware Profile from the victim machine<\/p>\n
Nemty 1.0, Wrongly Applying the Country Protection<\/h2>\n
RaaS families usually apply some protections to prevent infecting certain geographic regions. In the first version, Nemty still had this feature in development as our analysis showed that the ransomware did not check whether the victim belonged to any of the supposed blacklisted countries. During our analysis of ransomware it is quite usual to find functions that are still in development and are then incorporated in future versions.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/countries.png\")
<\/p>\nIf the detected country is in the blacklist, Nemty returns the string \u201ctrue\u201d and keeps it in the config. If the country is not found, the value of the field will be false.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/country-name-check.png\")
<\/p>\nFIGURE 12. Check the country name and return true or false string<\/p>\n
Nemty Encryption Keys<\/h2>\n
Immediately after making this check, Nemty will decode, from base64, the value of the master key and keep it in a memory address to use later. In parallel, it will prepare a random string with a fixed size of 7 characters and use it with the string \u201c_NEMTY_\u201d to create the ransomware note with the specific extension used in the encrypted files. Nemty will create a pair of RSA keys, one public and one private, in this process.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/export-public-keys.png\")
<\/p>\nFIGURE 13. Export public RSA and private keys<\/p>\n
Within this operation, Nemty will encode those keys in base64:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/encode-of-RSA-keys.png\")
<\/p>\nFIGURE 14. Encode of RSA keys generated<\/p>\n
After this encoding, Nemty will decode again the victim RSA public key and import it for later use.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/decoding-RSA-key.png\")
<\/p>\nFIGURE 15. Decoding of the RSA public key for later use<\/p>\n
The same operation is again used but this time with the master RSA public key from the ransomware developers.<\/p>\n
Nemty Encryption Keys<\/h2>\n
In the encryption process, with all the data collected from the user, Nemty will create their config file, all in memory. The config file is a JSON structured file with all the collected data and the AES key previously created. Regarding the key used, it is the same for all of the files, however Nemty uses a different IV for each file.<\/p>\n
Nemty Configuration File:<\/h2>\n
An example of the information collected by Nemty and later used in the config file can be found below:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/information-collected-by-Nemty.png\")
<\/p>\nThis is an example Nemty configuration file:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-config-file.png\")
<\/p>\nFIGURE 16. Nemty config file<\/p>\n
The different fields for the configuration file are:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/configuration-fields.png\")
<\/p>\nThe configuration file will be saved on the disk encrypted with a RSA public key of 8192 bits and encoded in base64.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/crypt-the-config-file.png\")
<\/p>\nFIGURE 17. Crypt the config file and encode in base64<\/p>\n
Nemty will get the username logged in the system through \u2018SHGetFolderPathW\u2019 and will save and encrypt it with the .nemty extension on that folder.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/getting-root-folder.png\")
<\/p>\nFIGURE 18. Getting the user\u2019s root folder<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/creation-of-config-file.png\")
<\/p>\nFIGURE 19. Creation of the config file on the disk<\/p>\n
Nemty Encryption Threads<\/h2>\n
For the encryption, Nemty will create a new thread per each logic unit found in the system in order to encrypt the files.<\/p>\n
The method used to encrypt the files is similar to other RaaS families, getting all the files using the function \u2018FindFirstFileW\u2019 and \u2018FindNextFileW. Nemty will avoid encrypting folders with the following names:<\/p>\n
- \n
- .<\/li>\n
- ..<\/li>\n
- \u2026<\/li>\n<\/ul>\n
The encryption process will also avoid using files with the following names:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ignored-files.png\")
<\/p>\n![\"\"](\"\/wp-content\/uploads\/2020\/04\/blacklisted-folder-and-file-names.png\")
<\/p>\nFIGURE 20. Check of the blacklisted folder and file names<\/p>\n
This check is done using the insensitive function \u201clstrcmpiW\u201d. Where Nemty is encrypting a file it will try two combinations, one in lower case, one in uppercase.<\/p>\n
The extensions checked are:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/extension-check.png\")
<\/p>\n<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/file-extension-check.png\")
<\/p>\nFIGURE 21. Check of the file extensions<\/p>\n
If Nemty has successful checks, it will create a random IV and encrypt part of the file with the AES keys previously generated. It then begins the IV using the victim\u2019s RSA public key and appends it to the encrypted file.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/write-crypted-file.png\")
<\/p>\nFIGURE 22. Write the crypted file and put the IV in it<\/p>\n
Nemty will put the information required to decrypt the file in the encrypted part of it and then add the extension \u201c.nemty\u201d and continue with the next folder or file.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-extension.png\")
<\/p>\nFIGURE 23. Renaming of the new file with the Nemty extension<\/p>\n
After finishing the encryption process Nemty will use the function \u2018WaitForSingleObjects\u2019 and wait for all the pending threads. It will also download the Tor Browser and open a connection in the loopback with the configuration file.<\/p>\n
As a final action, Nemty will execute the command prompt of the machine with the hardcoded word \u201ccmd.exe\u201d and open the ransomware note.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/opening-the-ransom-note.png\")
<\/p>\nFIGURE 24. Opening the ransom note<\/p>\n
The style of the ransomware note changed across the different versions that the Nemty developers released.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ransom-note-versions.png\")
<\/p>\nFIGURE 25. Different ransom notes between versions<\/p>\n
On the left side, we can see Nemty version 1.4. On the right side, the ransomware note belongs to Nemty version 1.0.<\/p>\n
Like other ransomware families, Nemty will perform these actions at the end:<\/p>\n
- \n
- Delete the shadow copies using vssadmin<\/li>\n
- Disable boot protections with bcedit and wbadmin<\/li>\n
- Delete the Windows catalog with WMIC using the class shadow copy<\/li>\n<\/ul>\n
All these calls are made with the function \u201cShellExecuteA\u201d with the \u201ccmd.exe\u201d string as the main program and the other as an argument.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/deleting-shadow-volumes.png\")
<\/p>\nFIGURE 26. Deletion of the shadow volumes, disabling boot protections, and deleting the catalog<\/p>\n
Mutex<\/h2>\n
Nemty will create a specific mutex in the system every time it infects a system:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/mutex.png\")
<\/p>\nThe ransomware will check the existence of the mutex using the function \u201cGetLastError\u201d.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/creation-of-hardcoded-mutex.png\")
<\/p>\nFIGURE 27. Creation of the hardcoded mutex<\/p>\n
If the system was infected previously with Nemty and it contains the mutex, the ransomware will finish the execution using the function \u201cExitThread\u201d. This call will end the main thread of the malware, finishing the execution and returning the control to the operative system.<\/p>\n
The \u201cExitProcess\u201d function is often used to avoid simple API monitoring.<\/p>\n
Nemty uses RC4 to encrypt its strings and, in execution, those will be decrypted and decoded from base64 and then be used as a part of the ransomware note.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/calculating-memory-size.png\")
<\/p>\nFIGURE 28. Calculating the size of memory to decode from base64<\/p>\n
The RC4 key used for Nemty 1.0 is \u2018f*ckav\u2019. Other malware families also often use offensive names or expressions regarding the security industry in their implementations.<\/p>\n
For decryption, the developers implemented a function through the API to reserve the needed space with \u2018malloc\u2019 and later decode the string in memory. As a protection, if the ransomware fails to get the size or on the decoding operation, the execution will finish using \u201cExitThread\u201d.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/decrypt-with-RC4.png\")
<\/p>\nFIGURE 29. Decrypt the data with RC4<\/p>\n
Nemty – Learning by Doing<\/h2>\n
Since the first version of Nemty was released, the authors started to evolve their ransomware by adding new capabilities and fixing aspects of its code.<\/p>\n
Analyzing the early versions of Nemty, we can state that they were more advanced in techniques and obfuscation compared to other RaaS families, but the first version still contained functions with some mistakes, such as references to API calls that were not used by the ransomware.<\/p>\n
At the time we wrote this article, the developers behind the ransomware have released 9 different versions:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-versions.png\")
<\/p>\nChangelog Nemty 1.4<\/h2>\n
We have observed changes across the different versions of Nemty. For version 1.4, the developers applied the following changes:<\/p>\n
- \n
- The ransomware will gather information regarding the logical units after checking if the victim has the Nemty mutex.<\/li>\n
- Language check\n
- \n
- In this version, Nemty will respect and avoid encrypting files for victims inside the CIS countries.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/blacklisted-languages.png\")
<\/p>\nFIGURE 30. Check to avoid crypting if the language is blacklisted<\/p>\n
CHANGES IN VERSION 1.5<\/h2>\n
Compared with Nemty 1.4, this newer version was a major release, adding the following changes:<\/p>\n
- \n
- Victim information stored in the registry<\/li>\n
- Persistence<\/li>\n
- Ability to kill processes and services<\/li>\n
- New mutex<\/li>\n
- Hardcoded image change<\/li>\n
- C2 panel publicly accessible<\/li>\n
- 4 new blacklisted countries<\/li>\n<\/ul>\n
Victim Information Stored in the Registry<\/h2>\n
The first major change in this version of Nemty was the use of the Windows registry to store information about the infected machine. The hive used is HKCU with the NEMTY identifier.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/information-saved-in-the-registry.png\")
<\/p>\nFIGURE 31. Information saved in the registry<\/p>\n
Ability to Kill Processes and Services<\/h2>\n
The second feature added is the possibility to kill certain processes to facilitate file encryption in the system, something that is commonly implemented by other RaaS families.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/processes.png\")
<\/p>\nIn order to kill those processes, Nemty will use taskkill \/im PROCESSNAME.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/termination-of-processes.png\")
<\/p>\nFIGURE 32. Termination of processes<\/p>\n
Among certain kill processes, Nemty will stop certain services in the system with the same objectives:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/stop-services.png\")
<\/p>\nTo stop the services Nemty, will use \u201cnet stop\u201d and the service name.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/stop-of-services.png\")
<\/p>\nFIGURE 33. Stop of services on the victim machine<\/p>\n
Persistence<\/h2>\n
The first versions of Nemty did not have any persistence technique, so the author decided to add it in version 1.5. The persistence is done through a scheduled task, \u201ccreate \/sc onlogon\u201d. The binary is copied into the main user directory with the name hardcoded (this can be adapted for every binary released) \u201cAdobeUpdate.exe\u201d and the task launched using \u201cShellExecute\u201d.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/persistence.png\")
<\/p>\nFIGURE 34. Creation of a schedule task to persistence<\/p>\n
Hardcoded Image Change<\/h2>\n
Regarding the picture hardcoded in the first versions, for this version, Nemty decided to change it and include a new one.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/new-image.png\")
<\/p>\nFIGURE 35. New image referenced in the malware<\/p>\n
C2 Panel Publicly Accessible<\/h2>\n
The author, decided to swap TOR for a public C2 panel where Nemty will send the victim\u2019s data.<\/p>\n
https:\/\/nemty.hk\/public\/gate?data=<victim_data><\/p>\n
4 New Blacklisted Countries<\/h2>\n
For this version, the author added four new countries to the blacklist:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/new-country-blacklist.png\")
<\/p>\nChanges in Version 1.6<\/h2>\n
Compared with the previous version, Nemty in the 1.6 version only implemented one single change. The author used their own implementation of the AES algorithm instead of using the CryptoAPI.<\/p>\n
The way that the malware previously generated the random key was based on functions of time but with version 1.6 it mostly used some other value to generate the random key.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/changes-in-key-generation.png\")
<\/p>\nFIGURE 36. Changes in the key generation function<\/p>\n
One of the partners in the No More Ransom project<\/a>, Tesorion, decided to publish a free decryptor for victims infected by Nemty. After the announcement, the Nemty authors released a new version utilizing a proper AES function using CryptoAPI.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/new-implementation-of-AES-crypto.png\")
<\/p>\nFIGURE 37. New implementation of the AES crypto using CryptoAPI<\/p>\n
Like in a game of cat and mouse, Tesorion released a new decryptor for this specific version. The Nemty authors responded by including a harcoded message to Tesorion in the samples:<\/p>\n
Tesorion \u201ctesorion, thanks for your article\u201d.<\/em><\/p>\n
Second Version of 1.6<\/h2>\n
Instead of changing the Nemty version number in this new binary, the authors released a new version of 1.6 with some changes.<\/p>\n
The changes added for this version are:<\/p>\n
- \n
- New vssadmin utility used<\/li>\n
- New processes and services to kill<\/li>\n
- FakeNet feature<\/li>\n<\/ul>\n
This new version was released just 2 days after the first 1.6 version was released; this means that the actor is quite active in developing this ransomware.<\/p>\n
New Vssadmin Utility Used<\/h2>\n
The first change for this version is how the logical units where enumerated. The Nemty author implemented the use of the utility \u201cvssadmin\u201d and also reduced the capacity of the shadow volumes to 401MB. This change probably helped the ransomware in terms of performance.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/resizing-shadow-volumes.png\")
<\/p>\nFIGURE 38. Resize of the shadow volumes in the target logic unit<\/p>\n
The idea of this change was to remain more stealthy against endpoint security products, instead of just deleting the shadow copy and executing queries through WMI, BCEDIT, etc. The author changed their approach to use vssadmin with the delete flag.<\/p>\n
New Processes and Services to Kill<\/h2>\n
The Nemty authors added new processes to kill in order to facilitate file encryption:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/new-processes-to-kill.png\")
<\/p>\nIn addition to new processes, the author also included new services:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/new-services.png\")
<\/p>\nFakeNET Feature<\/h2>\n
For this version the Nemty authors decided to add one interesting feature. The ransomware in execution had implemented a function to retrieve the victim\u2019s public IP address. In the case that Nemty cannot connect with the external IP address, the ransomware will add fake data in order to continue the encryption process. The fake data will be:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/fake-data.png\")
<\/p>\n<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/fake-IP-address-and-country-name-information.png\")
<\/p>\nFIGURE 39. Nemty using fake IP address and country name information if it cannot connect to the URL to get a WAN IP<\/p>\n
This feature implemented by Nemty will expose users in the protected countries as it will encrypt the system, even if the user belongs to one of the countries specified in the static blacklist.<\/p>\n
Version 2.0<\/h2>\n
In this version the developers decided to remove certain features and added a new encryption process:<\/p>\n
- \n
- The FakeNet feature was deleted and Nemty only used the old mechanism to check the victim\u2019s region.<\/li>\n
- An initial function that prepares a container to use the RC4 algorithm with the name \u201crc4\u201d and get a key based in the hardcoded string (can change in other samples) \u201csosorin :)\u201d. This key is used to decrypt part of the ransom note and certain strings. It changes the use of the authors\u2019 own RC4 implementation to now use the RC4 algorithm with CryptoAPI.<\/li>\n
- A new generation of RSA containers of keys, improving the key generation process.<\/li>\n
- The ransom note text included \u201cNEMTY REVENGE\u201d instead of \u201cNEMTY PROJECT\u201d and also added the sentence: \u201cDon\u2019t trust anyone. Even your dog\u201d.<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ransomware-note.png\")
<\/p>\nFIGURE 40. Nemty ransomware note<\/p>\n
Version 2.2<\/h2>\n
For this version, the Nemty developers only made two minor changes:<\/p>\n
- \n
- Change of the mutex name<\/li>\n
- A new ransom note:<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/example-of-new-ransom-notes.png\")
<\/p>\nFIGURE 41. Example of the new ransom note<\/p>\n
Version 2.3<\/h2>\n
In this version, we found major changes compared with the prior version:<\/p>\n
- \n
- A new mutex value<\/li>\n
- The service used to get the public IP changed from https:\/\/api.ipify.org to https:\/\/www.myexternalip.com\/raw\n
- \n
- In case the lookup fails, the external address changes from NONE to NOT_DEFINED.<\/li>\n<\/ul>\n<\/li>\n
- The Windows OS check for XP was duped in prior versions and now only has one specific check.<\/li>\n
- The configuration fields changed, certain fields were removed and new ones were added.\n
- \n
- This is an example for the new configuration file:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
{<\/em><\/p>\n
\u00a0\u00a0 “fileid”:”NEMTY_E1EIVPU”,<\/em><\/p>\n
\u00a0\u00a0 “configid”:”mArJi2x3q3yFrbvL8EYkKezDeGPgWeOG”,<\/em><\/p>\n
\u00a0\u00a0 “compid”:”{a3cande1-f85f-1341-769f-806d6172f54544}”,<\/em><\/p>\n
\u00a0\u00a0 “ip”:”NONE”,<\/em><\/p>\n
\u00a0\u00a0 “country”:”{\u00a0\u00a0\u00a0 ”\u00a0\u00a0 “errorCode”\u00a0\u00a0 “: ”\u00a0\u00a0 “INVALID_ADDRESS”\u00a0\u00a0 “,\u00a0\u00a0\u00a0 ”\u00a0\u00a0 “error”\u00a0\u00a0 “: ”\u00a0\u00a0 “invalid addr”\u00a0\u00a0 “,”\u00a0\u00a0 “version”\u00a0\u00a0 “:”\u00a0\u00a0 2.3\u00a0\u00a0 “,”\u00a0\u00a0 “computer_name”\u00a0\u00a0 “:”\u00a0\u00a0 “USERPC”\u00a0\u00a0 “,”\u00a0\u00a0 “username”\u00a0\u00a0 “:”\u00a0\u00a0 “User”\u00a0\u00a0 “,”\u00a0\u00a0 “os”\u00a0\u00a0 “:”\u00a0\u00a0 “Windows XP”\u00a0\u00a0 “,”\u00a0\u00a0 “pr_key”\u00a0\u00a0 “:”\u00a0\u00a0 BwIAAACkAABSU0EyAAgAAAEAAQDdTDOyFDw4+kjmmP2epZ\/484E7PLyyZ5W1obSZSHWPirGeobWwqnoVTXLPbKVYXZ4qszCzO71hwFKcKjeYjX1dVzSlonqpWlU5d2XLtM+6oN9PTUIv2Fp8Quf8w3FU+0OmmS9A0s3n6cnvpA8oIJTZFgYurYDs78Gv3dt4dUkQioqyT\/kWBOTZMBARqjiN6JwCCZDU4moRm+9IcqiXzUydebF99EoHxKcJrAekIHuHbHzZq\/FcVogFSHT+4aV2\/NTrESiNLeLYWv0S\/GJrYs2xoLLe3NpdW7disE\/PY1yn4flWGPU931AWy4\/ba8+bjRXr1UPCKFk370oqWesemfK8j694toexJlRYc8s1mql2T6gq\/NnqsWIxgR2B4Esn3xMzXcGZD86mA+XO\/gZWgZw9kyJ4rzonWiF8OMWznKgmC0n4rxoOh70eE0m15LPkJOJwmBcVoHE189R71titoNMEYZsK8\/WE0x8YJjAAdxmI4ATufV1ZUDbO7yOf5Tc5UuHTxu5iUOL0dO004Hh0t6SZIxbjUbtlHhJTiUULL+TpyG9YP1LyNMhKDE80viN9Co\/a6xbs6IRhxhRRFthtHE\/kRBeYfhptCblWOStLebtrNgwfe8f3AR2XdH6uESiQ8rTXG\/dSgXOfmUQzuvSbxdL4aQ5docbtjQlMEl\/FqYqs1pGTEB+cBATRoeY97LSCr\/ZvhQPUVPyAD0NHKPOUawrGtXyiAYP3WWhKOQFM1nqQ1E9Mf38NHbaQtNJ8s\/BOvMxra2Q9AaCd34IGz3uZuEZIqqXx2qqchHoHPFvopBnkCiJThmb0PoUHsA4keC7EIv3To038Wg2GYhfzy6+vwEIx01F02xhZSHjSUlSmYM2YiS4FZu2F02L49tUPIueqo3ON2ts+G\/z36kkaBFocPRJjQGL2cUmG0jI0kdahL6uNYfUL3Cu261bmxewxS1eSk+cb2zC5OckuwxoT66ZddRF+Ud2K2SIPV3oMy3D\/4oUtsrAEUv2inEthtwvY8FdzzsM1KlcvLszggKHRdTe4a3hf9ALU7omy3avhGaCtznhRnZvD0W1QNKyKRYBCtHc7e30EpbYtQ8kxRBrrQfySsQMDPfagETSDQMRdD0lLmNCsaJJqS9s7CnsXuTedTiOZA7Nddrc\/qUceeZ7ZXMvwhpQJ6TglLJ\/qCMFz6u63biGhCi38BxVRhrFzMIV4wEHlmw\/7ZKiIsE49XvWzJJH3J6cgvw8XGysgS29w8McqSVaucPhw+lONwc8SLTqDwZ78ozJmr3Hq4bWFjlMSeo\/H8tzr++eVMAwNiiECWo2\/i2WwraBG7\/jpwtedjQF576tBE6TEvriVjohjyhAYj0SprtJoqS5kX6NVM8c8GaeVKbcUp6bPqZLlGi1yfP0dhgpnR81SfDVuv\/RaLPedYPfKL3hK1g6UbRJvENVgrr5tik8TLley6v73MI1pbWmEnr48Zk8Y6bb4fm0H9OvkiDYmDDTh4I49TNEyuw8eD8auJ6CsapZUTmvqMlrGI3rnjueTdjQ=\u00a0\u00a0 “,”\u00a0\u00a0 “drives”\u00a0\u00a0 “:[{”\u00a0\u00a0 “drive_type”\u00a0\u00a0 “:”\u00a0\u00a0 “FIXED”\u00a0\u00a0 “,”\u00a0\u00a0 “drive_letter”\u00a0\u00a0 “:”\u00a0\u00a0 “C”:”\/”\u00a0\u00a0 “,”\u00a0\u00a0 “total_size”\u00a0\u00a0 “:”\u00a0\u00a0 9GB\u00a0\u00a0 “,”\u00a0\u00a0 “used_size”\u00a0\u00a0 “:”\u00a0\u00a0 9GB\u00a0\u00a0 “},{”\u00a0\u00a0 “drive_type”\u00a0\u00a0 “:”\u00a0\u00a0 “NETWORK”\u00a0\u00a0 “,”\u00a0\u00a0 “drive_letter”\u00a0\u00a0 “:”\u00a0\u00a0 “E”:”\/”\u00a0\u00a0 “,”\u00a0\u00a0 “total_size”\u00a0\u00a0 “:”\u00a0\u00a0 9GB\u00a0\u00a0 “,”\u00a0\u00a0 “used_size”\u00a0\u00a0 “:”\u00a0\u00a0 9GB \u00a0\u00a0“\\”}]}”<\/em><\/p>\n
<\/p>\n
- \n
- The User-agent changed to a new one, \u201cNaruto Uzumake\u201d.<\/li>\n
- Concatenating a lot of taskkill commands through the use of \u201cShellExecuteA\u201d; this version of Nemty kills a lot of new processes.<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/killing-processes-with-CMD.png\")
<\/p>\nFIGURE 42. Killing processes with CMD<\/p>\n
- \n
- For this version, the authors added PowerShell executions using a command prompt with the function \u201cShellExecuteA\u201d :<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/launching-a-PowerShell-command.png\")
<\/p>\nFIGURE 43. Launching a PowerShell command<\/p>\n
- \n
- This version added a new subkey in the registry key \u201cRun\u201d in the hive HKEY_CURRENT_USER with the name \u201cdaite drobovik\u201d:<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/creating-persistence.png\")
<\/p>\nFIGURE 44. Creating persistence<\/p>\n
- \n
- The ransom note was again changed for this version:<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ransom-note-2.3.png\")
<\/p>\nFIGURE 45. Example of the ransom note in version 2.3<\/p>\n
Version 2.4<\/h2>\n
This version was a minor release like Nemty 2.2. In our analysis we only noted changes for the ransom note:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ransom-note-2.4.png\")
<\/p>\nFIGURE 46. Example of the ransom note in version 2.4<\/p>\n
Version 2.5<\/h2>\n
This is the last version of Nemty we discovered. This one represents a minor release and we only spotted two changes for this version:<\/p>\n
- \n
- A new mutex value<\/li>\n
- A new ransom note:<\/li>\n<\/ul>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/ransom-note-2.5.png\")
<\/p>\nFIGURE 47. Example of the ransom note in version 2.5<\/p>\n
Relationship between JSWORM and Nemty<\/h2>\n
Our Advanced Threat Research (ATR) team followed the activity of the user jsworm in the underground forums, and uncovered another piece of their ransomware, called JSWORM ransomware. Below is an announcement they made on the same forum on which they presented Nemty:<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/JSWORM-Nemty-announcement.png\")
<\/p>\nFIGURE 48. JSWORM ransomware and Nemty announcement<\/p>\n
We analyzed all the samples we had of JSWORM and Nemty and could not find any relationship in the code base between them, but it is clear that both pieces of ransomware belong to the same moniker.<\/p>\n
\n\n
\n HASH<\/strong><\/td>\n FAMILY<\/strong><\/td>\n Compilation timestamp<\/strong><\/td>\n<\/tr>\n \n 0b33471bbd9fbbf08983eff34ee4ddc9<\/strong><\/td>\n Nemty<\/td>\n 2019-08-29 08:31:32<\/td>\n<\/tr>\n \n 0e0b7b238a06a2a37a4de06a5ab5e615<\/strong><\/td>\n Nemty<\/td>\n 2019-08-19 04:34:25<\/td>\n<\/tr>\n \n 27699778d2d27872f99ee491460485aa<\/strong><\/td>\n JSWORM<\/td>\n 1992-06-19 22:22:17<\/td>\n<\/tr>\n \n 31adc85947ddef5ce19c401d040aee82<\/strong><\/td>\n JSWORM<\/td>\n 2019-07-19 05:21:52<\/td>\n<\/tr>\n \n 348c3597c7d31c72ea723d5f7082ff87<\/strong><\/td>\n Nemty<\/td>\n 2019-08-25 11:58:28<\/td>\n<\/tr>\n \n 37aaba6b18c9c1b8150dae4f1d31e97d<\/strong><\/td>\n Nemty<\/td>\n 2019-08-20 19:13:54<\/td>\n<\/tr>\n \n 4ca39c0aeb0daeb1be36173fa7c2a25e<\/strong><\/td>\n Nemty<\/td>\n 2019-08-13 14:46:54<\/td>\n<\/tr>\n \n 5126b88347c24245a9b141f76552064e<\/strong><\/td>\n Nemty<\/td>\n 2019-08-21 16:16:54<\/td>\n<\/tr>\n \n 5cc1bf6122d38de907d558ec6851377c<\/strong><\/td>\n Nemty<\/td>\n 2019-08-21 14:27:55<\/td>\n<\/tr>\n \n 74701302d6cb1e2f3874817ac499b84a<\/strong><\/td>\n JSWORM<\/td>\n 2019-07-10 08:44:29<\/td>\n<\/tr>\n \n 7def79329823f3c81a6d27d2c92460ef<\/strong><\/td>\n JSWORM<\/td>\n 2019-07-09 18:54:23<\/td>\n<\/tr>\n \n dcec4fed3b60705eafdc5cbff4062375<\/strong><\/td>\n Nemty<\/td>\n 2019-08-21 19:25:16<\/td>\n<\/tr>\n \n de9e1a5fc0f0a29b97eb99542d1f297a<\/strong><\/td>\n JSWORM<\/td>\n 2019-07-09 20:25:14<\/td>\n<\/tr>\n \n f270805668e8aecf13d27c09055bad5d<\/strong><\/td>\n Nemty<\/td>\n 2019-08-21 18:42:10<\/td>\n<\/tr>\n \n f796af497399c256129f2ce61eb8855b<\/strong><\/td>\n JSWORM<\/td>\n 2019-07-19 05:24:00<\/td>\n<\/tr>\n \n fbf7ba464d564dbf42699c34b239b73a<\/strong><\/td>\n JSWORM<\/td>\n 1992-06-19 22:22:17<\/td>\n<\/tr>\n \n 0f3deda483df5e5f8043ea20297d243b<\/strong><\/td>\n Nemty<\/td>\n 2018-12-04 11:00:39<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Some of the samples released contain custom packers so the compilation timestamp is not accurate for those cases.<\/p>\n
Based on the data of the binaries we found, we can see how Nemty activity started some time after the JSWORM ramsomware disappeared. This could indicate that the threat actor jsworm was developing both pieces of ransomware at the same time.<\/p>\n
Free Decryptor Available Through No More Ransom<\/h2>\n
One of the partners of NoMoreRansom<\/a> was able to release a working version of a Nemty decryptor. If someone is affected by this ransomware, it is possible to contact them<\/a> through NoMoreRansom to get a decryptor.<\/p>\n
Nemty Releases Customer Data Publicly<\/h2>\n
In our analysis of the Nemty ransomware, we spotted a new trend in how its authors managed the data of their victims.<\/p>\n
In this instance, much like we have seen with other ransomware families like Maze, Nemty has its own website on which customer data is publicly released.<\/p>\n
![\"\"](\"\/wp-content\/uploads\/2020\/04\/Nemty-website.jpg\")
<\/p>\nImage source: Bleeping Computer<\/p>\n
Conclusion<\/h2>\n
Despite the number of RaaS families that appeared this year, Nemty represents another piece to observe and follow. Since we started to watch the activities of this ransomware, the criminals behind it have released multiple new versions with bug fixes and improvements. Such activity suggests that ransomware authors are feeling pressure from the great work done by security researchers and organizations, and in the case of Nemty, even from the underground criminal community which itself was quick to criticize some of its functions and implementations.<\/p>\n
\n\n
\n Technique ID<\/strong><\/td>\n Technique Description<\/strong><\/td>\n<\/tr>\n \n T1124<\/strong><\/td>\n System Time Discovery<\/td>\n<\/tr>\n \n T1083<\/strong><\/td>\n File and Directory Discovery<\/td>\n<\/tr>\n \n T1012<\/strong><\/td>\n Query Registry<\/td>\n<\/tr>\n \n T1057<\/strong><\/td>\n Process Discovery<\/td>\n<\/tr>\n \n T1047<\/strong><\/td>\n Windows Management Instrumentation<\/td>\n<\/tr>\n \n T1035<\/strong><\/td>\n Service Execution<\/td>\n<\/tr>\n \n T1215<\/strong><\/td>\n Kernel Modules and Extensions<\/td>\n<\/tr>\n \n T1179<\/strong><\/td>\n Hooking<\/td>\n<\/tr>\n \n T1112<\/strong><\/td>\n Modify Registry<\/td>\n<\/tr>\n \n T1107<\/strong><\/td>\n File Deletion<\/td>\n<\/tr>\n \n T1089<\/strong><\/td>\n Disabling Security Tools<\/td>\n<\/tr>\n \n T1055<\/strong><\/td>\n Process Injection<\/td>\n<\/tr>\n \n T1179<\/strong><\/td>\n Hooking<\/td>\n<\/tr>\n \n T1055<\/strong><\/td>\n Process Injection<\/td>\n<\/tr>\n \n T1132<\/strong><\/td>\n Data Encoding<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n Coverage<\/h3>\n
Generic Trojan.si<\/p>\n
GenericRXIS-SF!348C3597C7D3<\/p>\n
GenericRXIS-SF!37AABA6B18C9<\/p>\n
GenericRXIS-SF!5CC1BF6122D3<\/p>\n
GenericRXIU-OJ!0B33471BBD9F<\/p>\n
Ransom-Nemty!09F3B4E8D824<\/p>\n
Ransom-Nemty!2FAA102585F5<\/p>\n
Ransom-Nemty!65B07E2FD628<\/p>\n
Ransom-Nemty!9D6722A4441B<\/p>\n
RDN\/GenDownloader.alr<\/p>\n
RDN\/Generic.fps<\/p>\n
RDN\/Generic.fqr<\/p>\n
RDN\/Generic.fry<\/p>\n
RDN\/Generic.ftv<\/p>\n
RDN\/Generic.fxs<\/p>\n
RDN\/Generic.fyy<\/p>\n
RDN\/Ransom.gg<\/p>\n
RDN\/Ransom.gn<\/p>\n
Trojan-FRGK!484036EE8955<\/p>\n
Indicators of Compromise<\/h2>\n
\n\n
\n Hash<\/strong><\/td>\n PE TimeStamp<\/strong><\/td>\n<\/tr>\n \n 64a1ce2faa2ab624afcbbbb6f43955e116b6c170d705677dba6c4818770903aa<\/strong><\/td>\n 1992:06:20 00:22:17+02:00<\/td>\n<\/tr>\n \n c537c695843ab87903a9dbc2b9466dfbe06e8e0dde0c4703cbac0febeb79353a<\/strong><\/td>\n 1992:06:20 00:22:17+02:00<\/td>\n<\/tr>\n \n 8e6f56fef6ef12a9a201cad3be2d0bca4962b2745f087da34eaa4af0bd09b75f<\/strong><\/td>\n 1992:06:20 00:22:17+02:00<\/td>\n<\/tr>\n \n ca46814881f2d6698f64f31e8390fe155b9fd0d8f50b6ab304725a2251434aa7<\/strong><\/td>\n 2009:08:13 23:36:24+01:00<\/td>\n<\/tr>\n \n 5d04d789d66152e3fc0a2d84a53c3d7aa0f5d953c1a946619deeb699f3866e26<\/strong><\/td>\n 2017:01:02 12:16:24+01:00<\/td>\n<\/tr>\n \n a743d29eb16f9b4a59b2fd8c89e59053bdccce362f544fe82974e80d580c88f6<\/strong><\/td>\n 2018:03:27 07:09:32+02:00<\/td>\n<\/tr>\n \n 5439452012a052851fdd0625abc4559302b9d4f4580e2ec98680e9947841d75d<\/strong><\/td>\n 2018:04:17 01:50:07+02:00<\/td>\n<\/tr>\n \n 20d432c171ec17e7c5105f032210a96ea726ffc52154b79ec43acd62d6e3f304<\/strong><\/td>\n 2018:06:09 22:43:06+02:00<\/td>\n<\/tr>\n \n 9fad280bb034a4683be9ab4a35d2859e61dc796a6134436b4403c2cb9a9ebfea<\/strong><\/td>\n 2018:06:09 23:45:15+00:00<\/td>\n<\/tr>\n \n 7c1aaccca9dd236b9271c734d987d0fccc3e91bfa4c445c5e1c7c41e61ffe3ca<\/strong><\/td>\n 2018:06:16 17:31:40+02:00<\/td>\n<\/tr>\n \n 2f2aeb72dd127057fac1eeefdc0539fc3fa7bdff36d288bd7e20f2756194253d<\/strong><\/td>\n 2018:06:16 23:24:06+02:00<\/td>\n<\/tr>\n \n 6b3fea34cb8bb5cc6d698e30933884e1fe55c942d8768da85eb1c8085525bb41<\/strong><\/td>\n 2018:06:20 00:56:49+01:00<\/td>\n<\/tr>\n \n 345380e840249081cba552af4ab28d7c65d4052f6e4bedd748b673b8853e6e96<\/strong><\/td>\n 2018:06:20 01:56:49+02:00<\/td>\n<\/tr>\n \n 0f6e82387a5fe0f64d7cec15466b17a623aa8faaf9971df3c49ab65d49d1422e<\/strong><\/td>\n 2018:07:06 02:30:25+02:00<\/td>\n<\/tr>\n \n 4b86f102eff21382c1a40a28bd4db19356e1efd323336bcec6645e68592e754a<\/strong><\/td>\n 2018:07:07 17:59:57+01:00<\/td>\n<\/tr>\n \n b604a25ae4a668170bf28bfc885d0e137f4ff3a29eb7f772ba7098ecfb9bacb3<\/strong><\/td>\n 2018:07:08 12:47:46+02:00<\/td>\n<\/tr>\n \n 664b45ba61cf7e17012b22374c0c2a52a2e661e9c8c1c40982137c910095179a<\/strong><\/td>\n 2018:07:14 02:09:27+01:00<\/td>\n<\/tr>\n \n 536209365d143bf90a44f063eff9254639d7976b2f77edcc2a0ff6ac1e5a5464<\/strong><\/td>\n 2018:07:23 22:32:23+02:00<\/td>\n<\/tr>\n \n e29d154b067f298bab794d9f85ee7b3d58ebf17b56f6cff6601fb6ce48482f09<\/strong><\/td>\n 2018:08:01 20:19:32+02:00<\/td>\n<\/tr>\n \n c2a32b7094f4c171a56ca9da3005e7cc30489ae9d2020a6ccb53ff02b32e0be3<\/strong><\/td>\n 2018:08:06 17:50:00+02:00<\/td>\n<\/tr>\n \n 5d58c85ba5bd7a4ca3d5ade7bff08942a12399f82defa370691524d8797a1095<\/strong><\/td>\n 2018:08:09 01:11:34+02:00<\/td>\n<\/tr>\n \n
- The ransom note was again changed for this version:<\/li>\n<\/ul>\n
- This version added a new subkey in the registry key \u201cRun\u201d in the hive HKEY_CURRENT_USER with the name \u201cdaite drobovik\u201d:<\/li>\n<\/ul>\n
- For this version, the authors added PowerShell executions using a command prompt with the function \u201cShellExecuteA\u201d :<\/li>\n<\/ul>\n
- This is an example for the new configuration file:<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- In this version, Nemty will respect and avoid encrypting files for victims inside the CIS countries.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Using the windows API GetCurrentHwProfileA<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Username\n