Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware Nemucod not identified


  • Please log in to reply
3 replies to this topic

#1 darkmajin

darkmajin

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 01 August 2017 - 05:53 AM

I uploaded a file every antivirus gives me jse/Nemucod prompt, i have bunch of files encrypted?! into .jse extension, any way of decrypting them?

 

SHA1: dd6ae3b716e86ead2c69de63f9a8df7ebef64a02 < - whoever needs it ? 

 

 

 



BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 PM

Posted 01 August 2017 - 03:29 PM

Did you find any ransom notes and if so, what is it's actual name? These infections are created to alert victims that their data has been encrypted and demand a ransom payment. Most ransomware will drop a ransom note in every directory/affected folder where data has been encrypted. These notes are often created in multiple file formats (.txt, .html, .png) to ensure that the victim can open them. Check your documents folder for an image the malware typically uses for the background note. Check the C:\ProgramData (or C:\Documents and Settings\All Users\Application Data) for a randomly named .html, .txt, .png, .bmp, .url file.

Did the cyber-criminals provide an email address to send payment to?

The best way to identify the different ransomwares is the ransom note (including it's name), samples of the encrypted files, any obvious extensions appended to the encrypted files, information related to any email addresses used by the cyber-criminals to request payment and the malware file responsible for the infection.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 darkmajin

darkmajin
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  

Posted 01 August 2017 - 11:50 PM

That's the problem, there were no ransom notes,

 

it started when someone opened infected mail ( don't ask )

 

- Win7 machine started to create cmd.exe, conhost.exe infinitely, there was fly.exe on autostart it lasted 2 days before i was notified.

- multiple files on shared network drive ( 99% of those were doc and few pdf's ) were turned to 527kb file with*.jse extension 

- no pc files were damaged/encrypted ( only network drive ), only machine to get infected after 1 day was another Windows7 one, and majority of damaged folders were accessed by windows XP pc's.

- after cleaning no more files were encrypted althrough i need to wait and see more

 

Im mostly interested if the files can be reverted to original state, i've used few decrypters without success files were converted from 2mb to 527kb with results in damaged file or its just seen as 527kb by system?

 

virustotal gets me in most cases  :

 

Trojan.JS.Downloader.Nemucod.BJ or similar name...



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,928 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:51 PM

Posted 02 August 2017 - 04:58 AM

Our crypto malware experts most likely will need a sample of the malware file itself to analyze before anyone can ascertain if the encrypted files can even be decrypted. Samples of any suspicious executable's (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted (uploaded) here with a link to this topic. There is a "Link to topic where this file was requested" box under the Browse... button.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users