August 3, 2016

NELocker - A Javascript Ransomware Boilerplate

Nicholas Griffin Security Researcher

An actor known for distributing the Kovter and Miuref (aka Boaxxe) malware families has been working on a Javascript-based Nemucod ransomware for several months. Recently the actor has begun dropping legitimate command line utilities like 7Zip and PHP onto infected systems to perform the encryption. The malicious use of these benign tools makes this an effective and tricky-to-detect threat. We have dubbed this ransomware "NELocker".

E-mail Lures

The actor distributes their malware by e-mail. A recent e-mail campaign posed as a confusing courier e-mail.

A ZIP file is attached here, which contains a malicious Javascript (JS) file. We can see the ".js" file extension when we turn off the Windows feature to hide extensions for known file types.

When this file is double clicked or otherwise executed, it will begin to download malware onto the machine. This kind of JS file is often referred to as "Nemucod", which is a broad anti-virus name given to a wide variety of malicious JS downloaders.

Nemucod JS Downloader

The Nemucod JS file is obfuscated, but once unpacked it becomes a lot clearer to analyse. The common behaviour among this actor's JS downloaders is to grab two EXEs and execute them, which are usually named a1.exe and a2.exe.

Typically these two malware components are the Kovter and Miuref malware families, but this actor sometimes changes or downloads additional malware components. For example, in January we blogged about this actor distributing PGDownloader to turn machines into zombies. 

NELocker Template

Since March 2016 code was added to download additional components and to use these components for ransomware purposes. The components used for encrypting files varies; recently we have seen both the 7Zip and PHP command line utilities being used for encryption.

All variants of these JS files now contain the same template ransom message which will be shown to an infected user once their files are encrypted. We have named this "NELocker" after its Nemucod roots and boilerplate style where any ("NE") arbitrary utility (benign or otherwise) can be used to perform the file encryption.

A full example of one of the ransom messages can be seen below.

All your documents, photos, databases and other important personal files
were encrypted using strong RSA-1024 algorithm with a unique key.
To restore your files you have to pay 0.48307 BTC (bitcoins).
Please follow this manual:
1. Create Bitcoin wallet here:
2. Buy 0.48307 BTC with cash, using search here:
3. Send 0.48307 BTC to this Bitcoin address:
4. Open one of the following links in your browser to download decryptor:
5. Run decryptor to restore your files.
      - If you do not pay in 3 days YOU LOOSE ALL YOUR FILES.
      - Nobody can help you except us.
      - It`s useless to reinstall Windows, update antivirus software, etc.
      - Your files can be decrypted only after you make payment.
      - You can find this manual on your desktop (DECRYPT.txt).

7Zip & PHP Abused For Ransomware

In April 2016 the Nemucod / NELocker JS files were downloading a legitimate copy of the 7Zip command-line utility and invoking it to encrypt files found on drives C to Z with the following command line:

%COMSPEC% /c for /r "<drive-letter>:\" %i in (*.zip *.rar *.7z *.tar *.gz *.xls *.xlsx *.doc *.docx *.pdf *.rtf *.ppt *.pptx *.sxi *.odm *.odt *.mpp *.ssh *.pub *.gpg *.pgp *.kdb *.kdbx *.als *.aup *.cpr *.npr *.cpp *.bas *.asm *.cs *.php *.pas *.vb *.vcproj *.vbproj *.mdb *.accdb *.mdf *.odb *.wdb *.csv *.tsv *.psd *.eps *.cdr *.cpt *.indd *.dwg *.max *.skp *.scad *.cad *.3ds *.blend *.lwo *.lws *.mb *.slddrw *.sldasm *.sldprt *.u3d *.jpg *.tiff *.tif *.raw *.avi *.mpg *.mp4 *.m4v *.mpeg *.mpe *.wmf *.wmv *.veg *.vdi *.vmdk *.vhd *.dsk) do (if %~zi LSS 100000000 (call C:\DOCUME~1\user\LOCALS~1\Temp\a.exe a -sdel -mx0 -mhe -p<randomly-generated-password> "%i.crypted" "%i"))

The password used for encrypting the files with the 7Zip utiltiy is random generated when the script is executed and passed as the "-p" parameter in the command line above. 7Zip uses AES-256 to perform this encryption. A copy of the password is then sent to the same command-and-control (C&C) server that the malware was downloaded from.

More recently we have seen a PHP file and a legitimate PHP command line utility being downloaded. In this variant NELocker invokes the PHP command line utility in order to execute the PHP file, which is heavily obfuscated.

After deobfuscation the PHP file is easy to understand. It iterates through drive letters C to Z and performs XOR encryption on eligible files using a hard-coded encryption key which is base64-encoded.

The Emsisosft Decrypter for Nemucod is able to brute force the encryption key for any files encrypted in this manner.

Protection Statement

Forcepoint™ customers are protected against this threat via TRITON® ACE at the following stages of attack:

  • Stage 2 (Lure) - Malicious e-mails associated with this attack are identified and blocked.
  • Stage 5 (Dropper) - The malware is prevented from being downloaded from the malicious URLs.


The adoption of ransomware shows no signs of slowing down. The development of NELocker demonstrates the ease and effectiveness by which ransomware can be created by abusing legitimate software like 7Zip and PHP. The initial infection vector by e-mail is important to identify, and users should remain vigilant when opening e-mail attachments.

Indicators of Compromise

E-mail Attachments (August 2, 2016)

C28F99032D898A58ED93C2DD36EE515ACDAC2FF8 (000534364.zip)
995835E37AF416792F12E49E741481319CC60D30 (000534364.doc.js)
0BAF97DE1F31D5043743542834CE41B628096213 (FedEx_ID_00000432461.zip)
F34A8642F11ECD3CB3FA05069F20CBF5F4338BEB (FedEx_ID_00000432461.doc.js)
CFF096D647C4B488D93AFF4002074CCB2FCB87B6 (00000875625.zip)
A94F5B57C697451E992CD30098B5B74709594C03 (00000875625.doc.js)
E6085B992CF12FD6BEC1347B400F0BAF28329B88 (Label_00684696.zip)
8C910BBFFC2D23D5B06A95F04B7776B3DCEFCB1C (Label_00684696.doc.js)
F7C105188FC289E19340D81F4AF525A4A30C8CE8 (00000706048.zip)
081821DEB6DB5F9A3BD8F4A6079D53889E0DDBD3 (00000706048.doc.js)

Command-and-Control Servers (August 2, 2016)

These are likely to be compromised websites.


About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.