JS/Nemucod.EBZ!tr.dldr

description-logoAnalysis

JS/Nemucod.EBZ!tr.dldr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as JS/Nemucod.EBZ!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • It uses ActiveXObject to send a GET request to two addresses.
  • It will attempt to download a file named radD4416.tmp into the user’s %Temporary% directory.
  • Obsfucation is done via string/character manipulation.
  • At the time this description is written (Jan. 15, 2020), the sites the malware connects to no longer supply the file.
  • This malware is an alias to JS/Nemucod.EBZ!tr.
  • The malware attempts to connect to the following sites to download the .tmp file:
    • hxxps://alexis.mon[REMOVED].com/htdocs/wp-admin/css/colors/blue/messg.jpg
    • https://rj14jai[REMOVED].000webhostapp.com/wp-content/themes/hestia/page-templates/messg.jpg
  • It will try to download from the first link and then the second link if the first one fails.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2020-03-04 75.71900 Sig Updated
2019-08-06 70.52400 Sig Updated
2019-07-30 70.35800 Sig Updated
2019-07-16 70.02200 Sig Updated
2019-07-09 69.85400 Sig Updated
2019-06-11 69.18400 Sig Updated
2019-04-12 67.75300 Sig Updated
2019-01-30 66.01200 Sig Updated
2019-01-29 65.98500 Sig Updated
2019-01-25 65.89000 Sig Updated