virus logo Virus

JS/Nemucod.JS01!tr

description-logoAnalysis
JS/Nemucod.JS01!tr is a generic detection for a Javascript Downloader for Locky Ransomware detected as W32/GenKryptik.AUBX!tr. Since this is a generic detection, malware that are detected as JS/Nemucod.JS01!tr may have varying behaviour.
Along with W32/GenKryptik.AUBX!tr below are some of the observed behaviours:

  • This malware may connect to any of the following URLs:
    • hxxp://fier{Removed}.leadercoop.it/sdgLKJvgh??kxMhXwMtn=AQTqTMj
    • hxxp://fcpconsultore{Removed}.com.br/sdgLKJvgh??kxMhXwMtn=AQTqTMj
    • hxxp://87hfdredwertyfdvvlkgdrsad{Removed}.net/af/sdgLKJvgh?kxMhXwMtn=AQTqTMj
    • hxxp://fluritreuhan{Removed}.ch/sdgLKJvgh??SMsXSbl=cDMbvKEIgm
    • hxxp://firstclea{Removed}.pt/sdgLKJvgh??SMsXSbl=cDMbvKEIgm
    The file downloaded is usually saved as undefinedTempundefined\doktbuqvna1.exe and is detected as W32/GenKryptik.AUBX!tr.

  • Affected files will be renamed and use the filenaming format XXXXXXXX-XXXX-XXXX-XXXXXXXX-XXXXXXXXXXXX.lukitus (X being any hexadecimal digit).

  • Below is a screenshot of the Ransomware notes:

    • Figure 1: Ransomware notes.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-09-27 90.06370
ID 7480396
Released Aug 29, 2017
Description
Updated		 Aug 31, 2017
Aliases Mal_Nemucod-JS01, JS/Nemucod-O, JS:Trojan.JS.Downloader.PZ, JS/TrojanDownloader.Nemucod.DQB trojan, Suspicious Archive!script.b trojan, JS/Nemucod-O, Trojan-Ransom.Win32.Cryptor.agj, Ransomware-GDS!CC1BA7243244 trojan Mal/Elenoocka-E
Platform Profile Java Script