This was probably intended as a feature to allow easy debugging from the malware author’s side. If the resulting value matches a hardcoded one, then it skips the rest of the checks. Computes a hash value for every environment variable set.Checks the hash of the sample filename against a list of blacklisted filename hashes.Checks the hash of the username against a list of blacklisted username hashes.Checks the current date against the hardcoded expiration date.The list of identified Nymaim checks are below: Then it loaded a DirectDraw graphics library, and tried to unsuccessfully load a non-existing DLL, then quit, but later it turned out that this is part of the malware’s misdirection tactics.”ĭeeper analysis showed that when Nymaim does a check and fails, it keeps running for a while to make its failure less obvious.
#Netgear blacklist mac address pdf#
“After changing the date on the analysis machine, the sample ran further than before, displaying a message box with the text ‘Can not view a PDF in a web browser’. “The first we found was that each of the samples has a hardcoded expiration date, after which it refuses to properly run,” Nemes said. The German language spam message users receive. Researchers found that a Nymaim sample they were studying didn’t properly execute in the lab’s VirtualBox-based replication environment. SophosLabs spotted Nymaim’s sandbox-avoidance tricks while investigating a large spam campaign targeting mostly German-speaking users. One strain combines the code from Nymaim with Gozi, a banking malware, resulting in a new malware family called GozNym. It recently resurfaced, and is still used as a delivery platform for different malware families. It originally delivered file-encrypting ransomware as its final payload. Nymaim is a downloader Trojan that emerged in 2013.
0 kommentar(er)
