JS/Nemucod.JS01!tr
Analysis
JS/Nemucod.JS01!tr is a generic detection for a Javascript Downloader for Locky Ransomware detected as W32/GenKryptik.AUBX!tr.
Since this is a generic detection, malware that are detected as JS/Nemucod.JS01!tr may have varying behaviour.
Along with W32/GenKryptik.AUBX!tr below are some of the observed behaviours:
- This malware may connect to any of the following URLs:
- hxxp://fier{Removed}.leadercoop.it/sdgLKJvgh??kxMhXwMtn=AQTqTMj
- hxxp://fcpconsultore{Removed}.com.br/sdgLKJvgh??kxMhXwMtn=AQTqTMj
- hxxp://87hfdredwertyfdvvlkgdrsad{Removed}.net/af/sdgLKJvgh?kxMhXwMtn=AQTqTMj
- hxxp://fluritreuhan{Removed}.ch/sdgLKJvgh??SMsXSbl=cDMbvKEIgm
- hxxp://firstclea{Removed}.pt/sdgLKJvgh??SMsXSbl=cDMbvKEIgm
- Affected files will be renamed and use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.lukitus (X being any hexadecimal digit).
- Below is a screenshot of the Ransomware notes:
- Figure 1: Ransomware notes.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2022-09-27 | 90.06370 |