Hello, welcome to the Monday, July 17th, 2017 edition of the Sands and Storms, and as Stormcast.

My name is Johannes Ulrich, and I'm recording from Jacksonville, Florida.

And I'll actually be back in Europe.

Last week, October, I'll be teaching intrusion detection in depth in Berlin.

For details and other classes I teach, just

check the show notes at the bottom of the page you'll find the list. But let's take a look at

Diaries on Friday. Brad wrote about Nemecut AS and the mal-smam that actually distributes it.

Nemecut AS is a ransomware.

Luckily, there is a decryptor available for it.

So if you are being hit by this, there is a chance for you to recover your files.

It typically arrives as usual with a downloader that's an sipped JavaScript file and claims to be a

UPS delivery notice. This particular wave is going on for a couple weeks now and Pratt as usual

does have indicators of compromise, traffic captures, and some history about this particular

ransomware family.

And now, one thing we always like is if users send us in any malicious documents or so

that they received.

DDA looked at a recent one.

It was an Excel spreadsheet and it contained a Windows shortcut, a link file.

Now, the DEA used OLLI Dump here in order to analyze this particular file.

The link file, and I think I mentioned this before, does then download additional malware to the system.

It accomplishes this via PowerShell and well, the URL here is sort of split up in order

to obfuscate it somewhat.

...