Beaver

JS/TrojanDownloader.Nemucod.EGM

Recommended Posts

We got infected, according to an antivirus vendor it is JS/TrojanDownloader.Nemucod.EGM.  Files are encrypted.  They all have the .JS as a file type.  No ransom note or unusual file detected.  Does anyone have experience trying to decrypt these files?

Share this post


Link to post
Share on other sites

While most ransomwares will automatically delete themselves after they finish encrypting files, some are now leaving behind components on computers they infect that will encrypt any new files saved and will encrypt any files you manage to decrypt. It's best to check and make sure that no such components have been left behind, so I recommend following the instructions at the link below to get us logs from FRST so that one of our experts can make sure there is nothing malicious still on your computer (please attach the log files FRST saves to a reply to this topic on the forums):
https://help.emsisoft.com/en/1738/how-do-i-run-a-scan-with-frst/

Share this post


Link to post
Share on other sites

GT500:

I only have files that are encrypted with the .JS extension.  We have not noticed any other changes in the computers, screen background the same.  Can I just copy the affected file to ID Ransomware?  If so, how?  No other file or message has been found to copy to ID Ransomware.

Share this post


Link to post
Share on other sites

Yes, you can upload only an encrypted file. There are a few ransomwares which don't leave a ransom note, or where the ransom demands are made via e-mail at a later point.

Share this post


Link to post
Share on other sites

BTW: I see this is a terminal server. I recommend closing the RDP port in your firewall ASAP. Also, below are some steps for getting started dealing with an RDP compromise in case that's what happened here:

First I recommend temporarily disabling all port rules in your firewall (closing all open ports) until you can do a full audit of your firewall configuration and determine which ports need to remain open. There are some basic recommendations below to help get you started with the port audit.

If you are managing a company network, then some form of IPS/IDS is highly recommended to monitor the network for intrusions. If you already have such a system in place, then I recommend a full audit of any rules you have configured to make sure that the device is providing adequate monitoring. It is also recommended to have someone with penetration testing experience verify that the IPS/IDS is properly alerting when there are intrusion attempts.

Also, quickly change all passwords on any workstations and/or servers that are connected to the same network as the compromised system. Also be sure to change passwords on any online accounts, as well as any routers or switches (or other devices that have network-accessible administration functions).

I recommend that every account have a different password, that passwords be no shorter than 25 characters and be made up of a random combination of uppercase letters, lowercase letters, numbers, and symbols. Obviously passwords like that are difficult (if not impossible) to remember, so a password manager may be required in order to aid in managing passwords. KeePass is probably the simplest password manager, and stores password databases locally instead of on some "cloud" server. If something capable of automatically filling in passwords (or sharing passwords between multiple devices/users) is necessary then there are reasonable passwords managers from LastPass, bitwarden, 1Password, Dashlane, etc. Note that unlike KeePass, these password managers work as extensions added to web browsers (or apps on mobile phones), and they store password databases online.

When auditing your firewall configuration and preparing to reopen ports, I recommend never opening ports globally unless absolutely necessary. I also recommend requiring anyone who needs access to sensitive services (RDP, Windows Networking, etc) to connect to the network via a VPN so that you don't have to open ports for those services in the firewall, and then only open the VPN port in the firewall for IP addresses that need access to it. If someone who needs access has a dynamic IP, then many firewalls these days support something like Single Packet Authorization or Port Knocking to dynamically open ports for unknown IP addresses.

Share this post


Link to post
Share on other sites
26 minutes ago, Beaver said:

Amigo-A, thanks for your insight.  I have attached the Frst and Addition as indicated.

Addition.txt 35.38 kB · 0 downloads FRST.txt 21.64 kB · 0 downloads

At first glance I'm not seeing anything that looks malicious in those logs. Most ransomware will delete itself after it finishes encrypting files, and in the case of RDP compromise where an attacker manually copies ransomware to the compromised system and executes it they also normally clean up after themselves to make analysis more difficult.

Would it be possible to attach one or two copies of encrypted files to a reply so that I can run them by our malware analysts?

Share this post


Link to post
Share on other sites

GT500:

I uploaded today Wednesday, July 24, 2019, the encrypted file RFQ2017-1-0008.jse to ID-Ransomware and got the message and got the message:

Unable to determine ransomware.

Please make sure you are uploading a ransom note and encrypted sample file from the same infection.

This can happen if this is a new ransomware, or one that cannot be currently identified automatically.

You may post a new topic in the Ransomware Tech Support and Help forums on BleepingComputer for further assistance and analysis.

Please reference this case SHA1: 81049b216207070a4bd6c5fdcbf05bde824b4119

 

Share this post


Link to post
Share on other sites

Weird, the forums show all of the files are the exact same size. Were the files that way before they were encrypted?

Share this post


Link to post
Share on other sites

These are encoded JavaScript files. They're executables. They error out while running though. I'll have to wait for our malware analysts to tell me more.

Share this post


Link to post
Share on other sites

GT500:

I sincerely appreciate your interest in helping resolve my predicament, and in involving your malware analysts.  Look forward to what they have to say.

 

Thanks once again and take care.

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.