[Community-sigs] JS.Trojan.Nemucod variant signature
Christopher Marczewski
cmarczewski at sourcefire.com
Wed Dec 14 08:36:19 EST 2016
Janos,
Thank you for your submission. We'll proceed with FP testing for your
signature.
On Wed, Dec 14, 2016 at 6:01 AM, Janos Cservenak <hawk at hwk.hu> wrote:
> Hi,
>
> One of the last days trapped Nemucod trojan variants...
> Received via email, all messages tried to disguise himself
> as a scanned document attached as 2016-12-XXXX.ZIP file.
> In the ZIP there was only a 2016-12-XXXX.jse file.
>
> -- Signature --
> JS.Trojan.Nemucod.JSE.v03.20161213;
> Target:0;0;7661722077796c736f6e*49475a31626d4e3061573975
> -- /Signature --
>
> Decoded:
> VIRUS NAME: JS.Trojan.Nemucod.JSE.v03.20161213
> TDB: Target:0
> LOGICAL EXPRESSION: 0
> * SUBSIG ID 0
> +-> OFFSET: ANY
> +-> SIGMOD: NONE
> +-> DECODED SUBSIGNATURE:
> var wylson{WILDCARD_ANY_STRING}IGZ1bmN0aW9u
>
> MD5 sums for the JSE files:
> 995d5852f720163112be6bb18dc45fea
> df1e47f1394fb849b84a9b62ac2c5257
> 3d93cabf4377ac59b6a8a578f28e0460
> 3d93cabf4377ac59b6a8a578f28e0460
> d6e9a17e0dd09384d328f110b29a0f55
> d45a7e7650232738d3937c8434a49f0d
> 6899c73d40a95442272f32f2aa1d7606
> 6b5831cef9e705787a655bc66d832758
> 31fea40298868ea7f43f0e07292153c7
> d1b3b53fcb8b9604e596806851423996
> f02379e533deee8bc814bf720ac8249e
> 3b68fb002b17c7f9796f68240b55e1c5
> 3d93cabf4377ac59b6a8a578f28e0460
> ab4d4e0a53aa5deca221b8e0920a3fda
> e1d99edc1efdccd136409e110ffda5df
> 7e6c1715499fcce0c7dd0efdc8348175
> df1e47f1394fb849b84a9b62ac2c5257
> 05add189dcce665300f8b104c197b240
> 31fea40298868ea7f43f0e07292153c7
>
> --
> Best Regards,
> Janos Cservenak
>
> _______________________________________________
> Community-sigs mailing list
> Community-sigs at lists.clamav.net
> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>
> http://www.clamav.net/contact.html#ml
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list