Analysis
JS/Nemucod.DDR!tr.dldr is a generic detection for a type of JavaScript downloader trojan that downloads and runs the banking trojan Trickbot on the compromised computer. Since this is a generic detection, files that are detected as JS/Nemucod.DDR!tr.dldr may have varying behavior.
Below are examples of some of these behavior:
- It downloads Trickbot as the following files:
- undefinedTempundefined\[Random].exe : This file is detected as W32/Generic.AP.987BA0!tr.
- undefinedAppDataundefined\winapp\[Random].exe : This file is detected as W32/Generic.AP.987BA0!tr.
- It attempts to connect to the following URL:
- hxxp://spo{Removed}.com/8yhf2ui