Analysis
JS/Nemucod.EBZ!tr.dldr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as JS/Nemucod.EBZ!tr.dldr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- It uses ActiveXObject to send a GET request to two addresses.
-
It will attempt to download a file named radD4416.tmp into the user’s %Temporary% directory.
- Obsfucation is done via string/character manipulation.
-
At the time this description is written (Jan. 15, 2020), the sites the malware connects to no longer supply the file.
-
This malware is an alias to
JS/Nemucod.EBZ!tr.
-
The malware attempts to connect to the following sites to download the .tmp file:
-
hxxps://alexis.mon[REMOVED].com/htdocs/wp-admin/css/colors/blue/messg.jpg
-
https://rj14jai[REMOVED].000webhostapp.com/wp-content/themes/hestia/page-templates/messg.jpg
-
It will try to download from the first link and then the second link if the first one fails.