## NuggetPhantom Analysis Report **■ Doc. No.:** **■ Confidentiality:** CONFIDENTIAL **■ Issue:** 4.1 **■ Date** 2018-10-08 **© 2018 NSFOCUS** ----- **■ Copyright © 2018 NSFOCUS Technologies, Inc. All rights reserved.** Unless otherwise stated, NSFOCUS Technologies, Inc. holds the copyright for the content of this document, including but not limited to the layout, figures, photos, methods, and procedures, which are protected under the intellectual property and copyright laws. No part of this publication may be reproduced or quoted, in any form or by any means, without prior written permission of NSFOCUS Technologies, Inc. **■ Change History** **Date** **Issue** **Description** **Prepared/Modified** **By** Initial draft. Wang Zhongshi 2018-09-10 1.0 Adjusted the document structure. Wang Zhongshi 2018-09-20 3.0 Modified the description of the cryptomining 2018-10-08 4.1 module and added IP addresses of the latest mining pools. Wang Zhongshi ----- **NuggetPhantom Analysis Report** ### Contents ###### 1 Overview ......................................................................................................................................... 1 1.1 Executive Summary ......................................................................................................................................... 1 1.2 Kill Chain ......................................................................................................................................................... 1 1.3 Scope of Impact ................................................................................................................................................ 2 1.4 Development of the Hacking Organization ...................................................................................................... 3 ###### 2 Sample Analysis ............................................................................................................................ 4 2.1 High Level of Modularization .......................................................................................................................... 4 2.2 Careful Deployment to Evade Detection .......................................................................................................... 4 2.3 Flexible Configuration to Hide True Identity ................................................................................................... 7 2.4 Sacrifice of Present Gains to Remain Unnoticed ........................................................................................... 10 2.5 All Covet, All Lose ......................................................................................................................................... 12 ###### 3 Attacker Location ........................................................................................................................ 14 4 Conclusion .................................................................................................................................... 15 A IoC Output................................................................................................................................... 16 **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ### Overview # 1 #### 1.1 Executive Summary In a recent emergency response activity, NSFOCUS Threat Intelligence center (NTI) discovered a security event that featured NuggetPhantom, a modularized malware toolkit. According to our observation, the organization behind this event made its debut at the end of 2016 in the blue screen of death (BSOD) event that targeted Tianyi Campus clients, and was again involved in another security event that leveraged Tianyi Campus clients to mine cryptocurrency at the end of 2017. Having captured and analyzed malware carriers frequently used by this organization, we believe that its malware toolkit has been highly modularized and so delivers high flexibility. This toolkit not only features anti-antivirus techniques but also employs many concealment approaches, as demonstrated in its capability of defeating security devices that work based on behavior detection and traffic analysis. As for target selection, this organization, as a disciple of the principle of "man is the measure of security", took its first step by identifying less professional users according to the security of their devices. Then it attempted to attack these users by exploiting an N-day vulnerability with EternalBlue. Besides, to better hide itself and evade detection, the organization tried to lower the impact of malware on users at the expense of financial gains. #### 1.2 Kill Chain After finding that the operating system on a user's computer contains the EternalBlue vulnerability, the attacker exploits this vulnerability to send Eternal_Blue_Payload to the victim computer. Next, this payload drops all modules, which subsequently access the download server to obtain their respective encrypted files and then dynamically decrypt them in memory before executing related malicious functions. Following is a flowchart of the entire attack process. C i ht © NSFOCUS 1 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** Obviously, this attack procedure is fully consistent with the classic kill chain:  **Reconnaissance: Through scanning and open-source data, the attacker finds a large** number of computers on the Internet that still contain the EternalBlue vulnerability.  **Weaponization: The attacker crafts payloads specific to these vulnerable computers.**  **Delivery: The attacker loads the malware with all its modules to his/her own server.**  **Exploitation: The attacker exploits the EternalBlue vulnerability to attack targets one by** one by executing the downloader exploit payload.  **Installation: The downloader exploit payload downloads malware and instructs it to** deploy its own modules.  **Command and Control: The malware communicates with the attacker's command and** control (C&C) server to obtain instructions and cryptomining configurations.  **Actions on Objective: The malware mines cryptocurrency and conducts distributed** denial-of-service (DDoS) attacks. #### 1.3 Scope of Impact The domain *.woeswm.com, which is associated with the IP address 60.132.11.86 (98.126.200.58 after escaping) of the core C&C server used in this campaign, is found to have initiated 18,933 domain resolution requests since June 20, 2018 to one DNS server under our observation. From this number, we can infer that no less than 100,000 devices have been infected around the world. C i ht © NSFOCUS 2 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report** #### 1.4 Development of the Hacking Organization A look into sample behaviors and modules reused by the captured samples finds that the BSOD event of Tianyi Campus clients at the end of 2016, the event of Tianyi Campus clients planted with a cryptomining program at the end of 2017, and this event all point to the same organization. The following table lists the development of this organization based on these three events. **Time** End of 2016 End of 2017 Present **Compatibility** Poor Good Good **Degree of** - Having modules loosely Fully modularized coupled **Modularization** **Encryption Method** - Custom encryption Standard encryption algorithm algorithm **Malicious Function** - Cryptomining and Cryptomining invalid traffic generating and DDoS launching **Stealth Capability** Low Medium High **Attack Method** Planted into Tianyi Planted into Tianyi Exploitation of the Campus clients Campus clients EternalBlue vulnerability **Target Group** College students' PCs College students' PCs Neglected devices For the success of its hacking activities, the organization began to test malware modules in 2016. However, at the beta test stage, the compatibility issue of the rootkit driver, a key component of the malware, caused a large number of computers running Windows 10 to be locked up with BSOD, thus exposing its traces and leading to the failure of the planned campaign. To avoid detection, the organization lay low over a long period of time subsequently. In mid2017, it began to reengineer the driver to follow the then trend by attempting some smallscale cryptomining activities. At the end of 2017, the organization staged a comeback by planting the malware again in vulnerable Tianyi Campus clients. This time, its activities went unnoticed thanks to the enhanced compatibility of the rootkit driver. However, due to design flaws in its malicious functional modules, the cryptomining program consumed a large amount of computing resources, showing itself to users and ending up with failure. In the wake of this event, the organization went into hibernation again until July 2018, when it began to turn back to cryptomining. This time, the organization made its activities more difficult to detect by sacrificing two-thirds of gains from bot machines. In addition, based on a good understanding of Chinese users' distrust of downloaded software, it chose to use an efficient and mature exploit EternalBlue to plant malware into large quantities of unpatched computers around the world. Its target also switched from college students who may have knowledge in the related field to neglected computing devices. Such a switch was obviously a result of deep consideration. We believe that the organization, after constantly learning from past experience, has grown into a middle to high-end hacking organization, which is made up of different roles with properly assigned duties to achieve defined objectives according to the hacking trend. C i ht © NSFOCUS 3 V4 1 (2018 10 08) |Time|End of 2016|End of 2017|Present| |---|---|---|---| |Compatibility|Poor|Good|Good| |Degree of Modularization|-|Having modules loosely coupled|Fully modularized| |Encryption Method|-|Custom encryption algorithm|Standard encryption algorithm| |Malicious Function|-|Cryptomining and invalid traffic generating|Cryptomining and DDoS launching| |Stealth Capability|Low|Medium|High| |Attack Method|Planted into Tianyi Campus clients|Planted into Tianyi Campus clients|Exploitation of the EternalBlue vulnerability| |Target Group|College students' PCs|College students' PCs|Neglected devices| **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ### Sample Analysis # 2 #### 2.1 High Level of Modularization This malware toolkit has been highly modularized and so the tools can be flexibly configured. In terms of functionality, the toolkit consists of three types of modules for deployment, download, and function implementation respectively. The deployment module initializes malicious configurations and loads the rootkit driver for the purpose of hiding the malware. The download module obtains, loads, and calls functional modules from the C&C server to fulfill attacker-specified tasks. Thanks to modularization, the toolkit delivers high flexibility for attack task deployment. In other words, the attacker can call different functional modules for different purposes. This makes it rather difficult for us to have a holistic view of the attacker from a single attack event. The following sections analyze the three modules briefly to profile the attacker in the technical aspect. #### 2.2 Careful Deployment to Evade Detection The first file planted in victim computers is the deployment module, which employs the following techniques and methods to hide the malware's malicious behavior and static signature, thereby evading analysis and detection:  **Execution upon restart: Through MSI configuration, the sample can execute malicious** activities only after users manually restart their computers. Such a design is for the purpose of bypassing behavior-based detection in sandbox environments.  **Code protection: The sample uses VMProtect to protect service programs planted in** victim computers to evade static analysis and antivirus software's detection on the one hand and to make manual sample analysis more difficult on the other hand. C i ht © NSFOCUS 4 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report**  **File name check: The sample checks its own file name to see whether it is the same as** the hardcoded one as expected. If not, no malicious behavior will be performed. This can help evade analysis by some sandboxes.  **Drop during execution: To evade static analysis, the sample dynamically decompresses** and drops files and at the same time employs the process hollowing technique to inject code. C i ht © NSFOCUS 5 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report**  **Driver-level hiding: By loading a driver to hook IRP_MJ_CREATE and inject** service.exe and regedit.exe, the sample hides service program files and registry keys, thus making it more difficult to detect and remove the malware and extract a sample. We associated this rootkit driver with another rootkit driver, which was found in the BSOD event of Tianyi Campus clients at the end of 2016. Furthermore, the rootkit driver used in the cryptomining event of Tianyi Campus clients shared the same certificate and PDB file and so was deemed to be an update of the one used in 2016. On this ground, we inferred that the three events were launched by the same organization.  **Vulnerability blocking: The sample, by using the IPSec function of netsch.exe, runs the** following command lines to block ports 135, 139, and 445 to prevent other scanning sources from exploiting the same vulnerability to compromise devices and contend for computing resources: − "C:\WINDOWS\system32\netsh.exe" ipsec static add policy name=qianye C i ht © NSFOCUS 6 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** − "C:\WINDOWS\system32\netsh.exe" ipsec static add filterlist name=Filter1 − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=TCP' − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=TCP − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=TCP − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=445 protocol=UDP − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=139 protocol=UDP − "C:\WINDOWS\system32\netsh.exe" ipsec static add filter filterlist=Filter1 srcaddr=any dstaddr=Me dstport=135 protocol=UDP − "C:\WINDOWS\system32\netsh.exe" ipsec static add filteraction name=FilteraAtion1 action=block − "C:\WINDOWS\system32\netsh.exe" ipsec static add rule name=Rule1 policy=qianye filterlist=Filter1 filteraction=FilteraAtion1 − "C:\WINDOWS\system32\netsh.exe" ipsec static set policy name=qianye assign=y Under protection of the preceding mechanisms, the deployment module injects inject_downloader.dll into a child process, which seems to be launched by service.exe and is actually not, and then drops and loads the download module in this child process. #### 2.3 Flexible Configuration to Hide True Identity The download module obtains files and configurations of malware modules. The following figure illustrates its communication logic. C i ht © NSFOCUS 7 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** This module not only keeps a traditional C&C address pool to prepare for the situation where a server may fail but also uses a special hiding method to prevent users from blocking communication with C&C servers and defeat threat intelligence platforms that can associate IP addresses resolved from domain names with samples. This method is called "address escaping", whose working principle is quite simple: The attacker first specifies a public server to query the domain name of a C&C server. After obtaining the network address X (60.132.11.86), the mechanism subtracts the magic value (0x305DA) from the hexadecimal representation of X before getting Y (98.126.200.58), the real IP address of the C&C server. The download module communicates with Y to obtain modules necessary for performing the task in question. C i ht © NSFOCUS 8 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report** In this process, the IP address directly resolved from the domain name of the C&C server is not actually used for communication. Therefore, infected computers cannot stop communicating with the C&C server by blocking this IP address. In addition, victims cannot block access to the public DNS server for fear of affecting normal business. As a result, malicious traffic is successfully exchanged between victim computers and the C&C server. The sample compresses and encrypts the communication, which, after decryption, reads as follows: ``` 888$30$20180618$6$CpuGad$http://Up.Vohjtk.Com/RetGad/CpuGad/2018 0618.6/MsGad.PNG|$http://Up.Vohjtk.Com/RetGad/CpuGad/20180618.6/ MsRun.PNG|$|http://98.126.36.26:443/BuyGad/CoreRA07.PNG?RAT2018R A07?1?1?6?6#0#1#|http://Ae.Eqwauemt.Com/BuyGad/CoreRD09.PNG?RAT2 018RD09?1?1?6?6#1#0#|http://Up.Vohjtk.Com/BuyGad/CoreE011.PNG?CP U2018E011?1?1?6?6#1#0#|$5633c2d7ee994d04$$3$0$1$1$1$223.39.186.1 23#7.255.184.172#157.129.241.108#157.129.236.128#157.129.219.175 #157.129.212.103#147.88.219.209#119.125.74.121#69.187.163.188#$2 018-01-01 00:00:06$ ``` Clearly, the sample uses this function to access a lot of URLs to download different modules, which will be decompressed and dropped locally to perform various malicious functions. Which modules are to be dropped is totally up to the attacker. Their programs take the form of executables or scripts. At the same time, the sample obtains some IP addresses and escapes them into real ones using the aforementioned address escaping method. Then the sample encrypts and stores these addresses in the registry and uses them as C&C servers of the cryptomining module to obtain the latest configuration information of the latter. Following are real IP addresses obtained through address escaping:  5.34.183.123  45.249.181.172  195.123.238.108  195.123.233.128  195.123.216.175  195.123.209.103  185.82.216.209 C i ht © NSFOCUS 9 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report**  157.119.71.121  107.181.160.188  154.48.241.199  137.175.66.15 #### 2.4 Sacrifice of Present Gains to Remain Unnoticed The cryptomining module is decompressed and executed by inject_loader.dll. Unlike other cryptomining programs, this module employs some special tactics to enhance flexibility and secrecy:  **Dynamic configuration: The sample accesses C&C servers listed in the registry to** obtain configuration information of the cryptomining module in real time, including the algorithm type, mining pool addresses, and online wallet user names. Users can hardly block such cryptomining behavior by blacklisting known mining pool addresses.  **Controlled resource usage: By setting cryptomining parameters, the attacker keeps the** CPU usage by the cryptomining module at a relatively low level (25%) to prevent users from detecting it because of a sudden drop of computer performance. According to our observation, C&C servers of the cryptomining module have issued the following configuration information, where Wk is a fixed string of characters, which, together with the attacker-specified offset, constitutes an online wallet user name. The offset, if not configured, is 1000 by default. **Mining Pool Address** **Online Wallet User Name** **Password** 98.126.80.90:15912 Wk+1000 X C i ht © NSFOCUS 10 V4 1 (2018 10 08) |Mining Pool Address|Online Wallet User Name|Password| |---|---|---| |98.126.80.90:15912|Wk+1000|X| ----- **NuggetPhantom Analysis Report** **Mining Pool Address** **Online Wallet User Name** **Password** 98.126.80.91:15912 Wk+1000 X 98.126.1.26:15912 Wk+1000 X 98.126.1.27:15917 Wk+1000 X 154.48.241.199:15912 Wk+1000 X The IP addresses listed in the table are all verified to be mining pools set up by the attacker by using a leased virtual private server (VPS). These mining pool nodes are not configured with gains query interfaces that are common with public mining pools. Therefore, the attacker needs to log in to the server to query current gains by remote means such as remote desktop connection (available on port 55588). This ensures that other users cannot get more information about the attacker, such as his/her total gains, Monero wallet addresses, and the number of miners, through mining pool addresses, user names, and passwords disclosed in network traffic. However, as the major functionality of the cryptomining module was reengineered from that of XMRIG, the traffic generated is also in plaintext so that users can detect related sessions and generate alerts on and block each new mining pool address. C i ht © NSFOCUS 11 V4 1 (2018 10 08) |Mining Pool Address|Online Wallet User Name|Password| |---|---|---| |98.126.80.91:15912|Wk+1000|X| |98.126.1.26:15912|Wk+1000|X| |98.126.1.27:15917|Wk+1000|X| |154.48.241.199:15912|Wk+1000|X| ----- **NuggetPhantom Analysis Report** The cryptomining module's deployment process and coupling with the download module indicate that it plays a lead role in this attack. At this stage, the attacker mainly aims to persistently use victims' computing resources to mine cryptocurrency for personal gains. #### 2.5 All Covet, All Lose Besides the cryptomining module that stars in this attack, we find an additional module for launching DDoS attacks. This module is also decompressed and executed locally by inject_loader.dll. It accesses the attacker-specified C&C server to download an independently running EXE file to perform the assumed function. Different from the cryptomining module that is tightly coupled with the download module through C&C configuration, the DDoS module has its configuration information directly hardcoded into a binary file so as to be executed independently of other modules without needing any injection. For this reason, we determine that this module plays a secondary role in this attack. Such a design results from the attacker's desire to maximize the value of bots by using their computing resources to mine cryptocurrency on the one hand and using their bandwidth resources to conduct DDoS attacks for additional gains on the other hand. Unluckily, this module is not protected with any technique. Even worse, real IP addresses of its C&C servers are not masked by means of address escaping, but hardcoded into a binary file. In fact, it was due to this module that we were able to track down the attacker and make breakthroughs in our analysis. Observing the communication process, we found that this module used the same compression and encryption algorithms and keys as other modules. Obviously, they were written by the same author. Considering the difference between this module and other modules described in preceding sections in security and its hardcoded information, we concluded that it was a beta test version that implemented malicious functions without any protection mechanism. C i ht © NSFOCUS 12 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report** This module can initiate the following types of DDoS attacks: C i ht © NSFOCUS 13 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ### Attacker Location # 3 According to NTI, the IP address of the major C&C server used in these attacks is located in the USA. The result returned by NTI in response to our search reveals that names appearing on web pages hosted at this IP address comply with the Chinese naming convention (scanning result of July 16, 2018, the same date when the malicious sample was released). Therefore, a conclusion can be drawn that this organization has long targeted victims in China. (In the preceding figure, the parts masked indicate other hacking activities that the attacker engaged in. Those who are interested in such information can go to nti.nsfocus.com to check it out.) C i ht © NSFOCUS 14 V4 1 (2018 10 08) ----- **NuggetPhantom Analysis Report** ### Conclusion # 4 From the preceding analysis, we can draw the following conclusions:  **Vulnerability: The EternalBlue vulnerability, as a critical one disclosed in early 2017,** has been exploited by very efficient toolkits and has attracted a wide range of scanning sources. Up to now, hackers' zeal for it has not abated as there are still a large number of unpatched Windows devices worldwide.  **Tools: Programs and tools used for malicious purposes are undergoing a major change in** their structure. Traditionally, all necessary functions are built into a package and used as a whole. Now, they have functions modularized for higher flexibility. For one campaign, an attacker needs only to plant a controlled loader program that seldom carries out malicious activities but requests necessary modules in real time. Functional modules can be loaded or uninstalled depending on the information collection progress, the purpose of the task, and the trend of the hacking industry. Security devices analyze attacks only after they actually happen. Such a reactive process makes it difficult to get a whole picture of events no matter how extensive and intensive the analysis is.  **Industry: Cryptomining is usually considered a hacking industry that has a low entry** barrier and does not require a high skill set. Therefore, antagonistic techniques seem to be lacking in related malware. However, the case in question reveals that hacking organizations lured by the lucrative business are generous with their spending on all sorts of technical means against security products. This partly explains why the cryptomining detection rate is dropping currently. A lower detection rate does not mean that fewer such events have happened, but they are increasingly difficult to detect and perceive.  **Organization: Full-fledged hacking organizations active in China focus more on** concealment and persistence of their malicious behavior. Their purpose has turned from trying to control users' total resources to parasitizing users' computers without users' knowledge. For the purpose of persistence, they are even willing to sacrifice some gains. C i ht © NSFOCUS 15 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ### IoC Output # A NTI specifies the following format for the output of indicators of compromise (IoC): ``` { "report_name":"NuggetPhantom", "alias":"", "brief":"An modularized RAT for XMRminer and DDoS", "created_time":"2018-07-16", "update_time":"2018-07-16, "keywords":["RAT","MINER","DDoS"], "tag":"NuggetPhantom", "ref":[""], "info_extract": { "date":"", "hash": [ {"value":" 4209ae0cb569efab29ca9d2d7f4a211b","filename":" MsHIDPARSEApp.dll","date":"2018-06-12","relation":{"domain":[" Vohjtk.Com","Eqwauemt.Com"],"ip":["98.126.200.58","98.126.36.26","5.34. 183.123","45.249.181.172","195.123.238.108","195.123.216.175","195.123. 209.103","185.82.216.209","157.119.71.121","107.181.160.188","154.48.24 1.199","137.175.66.15"],"vul":["CVE-2017-0143","CVE-2017-0144","CVE 2017-0145","CVE-2017-0146","CVE-2017-0147","CVE-2017 0148"],"email":[""],"date":""}}, ], "domain": [ {"value":"Eqwauemt.com","type":["Malware"],"date":"2018 06-12","relation":{"ip":["104.18.36.142"],"email":[""],"date":"2018-06 12"}}, {"value":"Vohjtk.com","type":["Malware"],"date":"2018-06 12","relation":{"ip":["104.27.165.31"],"email":[""],"date":"2018-06 12"}} ], "ip": [ {"value":"98.126.200.58","type":["C&C","Malware"],"date":"2018 06-12"}, {"value":"98.126.36.26","type":["C&C","Malware","DDoS","Botnets"],"date ":"2018-06-12"}, {"value":"5.34.183.123","type":["C&C"],"date":"2018-06 12"}, {"value":"45.249.181.172","type":["C&C"],"date":"2018-06 ``` C i ht © NSFOCUS 16 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ``` 12"}, {"value":"195.123.238.108","type":["C&C"],"date":"2018-06 12"}, {"value":"195.123.216.175","type":["C&C"],"date":"2018-06 12"}, {"value":"195.123.209.103","type":["C&C"],"date":"2018-06 12"}, {"value":"185.82.216.209","type":["C&C"],"date":"2018-06 12"}, {"value":"157.119.71.121","type":["C&C"],"date":"2018-06 12"}, {"value":"107.181.160.188","type":["C&C"],"date":"2018-06 12"}, {"value":"154.48.241.199","type":["C&C"],"date":"2018-06 12"}, {"value":"137.175.66.15","type":["C&C"],"date":"2018-06 12"} {"value":"98.126.80.90","type":["C&C"],"date":"2018-06 12"} {"value":"98.126.80.91","type":["C&C"],"date":"2018-06 12"} {"value":"154.48.241.199","type":["C&C"],"date":"2018-06 12"} ] } } ``` C i ht © NSFOCUS 17 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** ----- **NuggetPhantom Analysis Report** ### References # B  https://nti.nsfocus.com/ip?query=98.126.200.58&type=all C i ht © NSFOCUS 1 V4 1 (2018 10 08) **NuggetPhantom Analysis Report** -----