[Community-sigs] Nemucod variant
Christopher Marczewski
cmarczewski at sourcefire.com
Fri Dec 16 11:17:33 EST 2016
I forgot to mention that we did end up slightly modifying the signature.
There was a variable naming consistency that I've recently noticed in many
web script downloaders, and it's present in these samples too. I replaced
the Base64 pattern with this content instead:
Js.Trojan.Nemucod;Target:7;(0>2)&(1>3)&(2>10);766172{-10}686974666d;66756e6374696f6e{-20}686974666d;78636f70
VIRUS NAME: Js.Trojan.Nemucod
TDB: Target:7
LOGICAL EXPRESSION: (0>2)&(1>3)&(2>10)
* SUBSIG ID 0
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
var{WILDCARD_ANY_STRING(LENGTH<=10)}hitfm
* SUBSIG ID 1
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
function{WILDCARD_ANY_STRING(LENGTH<=20)}hitfm
* SUBSIG ID 2
+-> OFFSET: ANY
+-> SIGMOD: NONE
+-> DECODED SUBSIGNATURE:
xcop
On Fri, Dec 16, 2016 at 11:13 AM, Christopher Marczewski <
cmarczewski at sourcefire.com> wrote:
> Janos,
>
> Your signature has been accepted for publication. Thanks again for your
> submission.
>
> On Wed, Dec 14, 2016 at 3:32 PM, Christopher Marczewski <
> cmarczewski at sourcefire.com> wrote:
>
>> Janos,
>>
>> Thanks again for another Nemucod submission. We'll be proceeding with a
>> signature review & FP testing.
>>
>> On Wed, Dec 14, 2016 at 10:56 AM, Janos Cservenak <hawk at hwk.hu> wrote:
>>
>>> Hi,
>>>
>>> Another Nemucod variant signature.
>>> Received by email, attachment was a .ZIP that contains the trojan WSF.
>>>
>>> -- Signature --
>>> JS.Trojan.Nemucod;Target:7;0>2&1>3&2;
>>> 766172{-10}686974666d;66756e6374696f6e{-20}686974666d;
>>> 746d39307a786e696177726b7a773478
>>> -- /Signature --
>>>
>>> VIRUS NAME: JS.Trojan.Nemucod.WSF.v03.20161214
>>> TDB: Target:7
>>> LOGICAL EXPRESSION: 0>2&1>3&2
>>> * SUBSIG ID 0
>>> +-> OFFSET: ANY
>>> +-> SIGMOD: NONE
>>> +-> DECODED SUBSIGNATURE:
>>> var{WILDCARD_ANY_STRING(LENGTH<=10)}hitfm
>>> * SUBSIG ID 1
>>> +-> OFFSET: ANY
>>> +-> SIGMOD: NONE
>>> +-> DECODED SUBSIGNATURE:
>>> function{WILDCARD_ANY_STRING(LENGTH<=20)}hitfm
>>> * SUBSIG ID 2
>>> +-> OFFSET: ANY
>>> +-> SIGMOD: NONE
>>> +-> DECODED SUBSIGNATURE:
>>> tm90zxniawrkzw4x
>>>
>>>
>>> Matched files MD5:
>>> bd9ac941df4dd18fc3a9357ca8fc51d4
>>> 075267b6930949754fd2d26e81cf3b6f
>>> ed006688b4d4dbeb57be273d022f3e93
>>> 1a80ed55e9efe95742b41d6fbbfc9a93
>>> fc4bf5f72c29990570d34fdd823a411d
>>> 4ff5f72d1375cb62ec8760e395dabc49
>>> bb989de0945fadbd26828f43e0fccb1f
>>> ece6efedf0ec3a381826f12e0a6d695d
>>> 9aaba658f4058e6f59a2350620d67a88
>>> 9aaba658f4058e6f59a2350620d67a88
>>> 9aaba658f4058e6f59a2350620d67a88
>>> 15c985f5a947e6730609215392954588
>>> 15c985f5a947e6730609215392954588
>>> 277a4374e36db8dcd1b7d984642ab749
>>> d195d846366cc139f38e34744ff2217e
>>> 218e468ed5f0af73a68986dcadd43707
>>> 2dcff3cb473324f619605c1752ffdb3b
>>> dba26a9757c92889d36e2171a0b8499c
>>> 789f9af5c3521e44123b474b901e3733
>>> 789f9af5c3521e44123b474b901e3733
>>> 98aec43fc91195e73957022ed89d663c
>>> 739f7cbde8886faf1cb4c8aaf64865a1
>>> 0c1f6e786ee71e1d55fad52af868a1fa
>>> ebebc6db349c8457a009ea67bef9f5c2
>>> f9c4b03fe200e0575ce77581a088a344
>>> 36196947aa0da7ee81b2174e6f992e74
>>> 36196947aa0da7ee81b2174e6f992e74
>>> 2f8021da04fb26f4b1c458229d9e06e7
>>> 754d009b8f2d9fc6eafc605a27afa64f
>>> 754d009b8f2d9fc6eafc605a27afa64f
>>> add45ad1030774a2251f874b24dc710d
>>> add45ad1030774a2251f874b24dc710d
>>> b9110a5360c4f12c6aa4a2e794efbe6a
>>> dd2fd0a397836bf55ebf7cbd98f0f6b1
>>>
>>> --
>>> Best regards,
>>> Janos Cservenak
>>>
>>> _______________________________________________
>>> Community-sigs mailing list
>>> Community-sigs at lists.clamav.net
>>> http://lists.clamav.net/cgi-bin/mailman/listinfo/community-sigs
>>>
>>> http://www.clamav.net/contact.html#ml
>>
>>
>>
>>
>> --
>> Christopher Marczewski
>> Research Engineer
>> Talos Group
>> cmarczewski at sourcefire.com
>> Phone: 443.430.7118 <(443)%20430-7118>
>>
>
>
>
> --
> Christopher Marczewski
> Research Engineer
> Talos Group
> cmarczewski at sourcefire.com
> Phone: 443.430.7118 <(443)%20430-7118>
>
--
Christopher Marczewski
Research Engineer
Talos Group
cmarczewski at sourcefire.com
Phone: 443.430.7118
More information about the Community-sigs
mailing list