# Nymaim config decoded

**proofpoint.com/us/threat-insight/post/nymaim-config-decoded**


March 12, 2019


-----

[Blog](https://www.proofpoint.com/us/blog)
[Threat Insight](https://www.proofpoint.com/us/blog/threat-insight)
Nymaim config decoded

March 12, 2019 Georgi Mladenov


-----

**O e** **e**

First documented in 2013 [1], Nymaim was originally identified as both a first-stage downloader and second-stage locking malware. Primarily
distributed via the Blackhole exploit kit, most users found out they were infected because of the screen lock that demanded varying ransoms.
In 2016, we documented distribution of the Ursnif banking Trojan via email campaigns and the presence of webinjects within Nymaim itself [2].
More recently, Nymaim has evolved into an even more robust downloader that includes a range of information stealing and system profiling
capabilities. This incarnation of Nymaim has appeared in both global campaigns as well as attacks targeting North America, Germany, Italy,
and Poland. In this respect, Nymaim is following global malware trends, with a focus on persistent, non-destructive infection to collect
information long-term and flexibly download additional malware of the threat actor’s choosing.

Despite its long history and increasing incidence of spreading via email, many aspects of Nymaim are not well understood, including its
ownership and availability to groups of threat actors. Moreover, the configuration file format outlined in this blog and the config’s interaction
with a virtual machine running within the malware itself appears to be unique. While CERT.pl described the configuration encryption algorithms
previously [3], recent samples now employ a bytecode language with its own logic that is interpreted by the malware, running in a virtual
machine managed by Nymaim. Technical details of the config file and its interaction with the Nymaim interpreter are outlined below.

**Analysis**

_Config parsing_

As other researchers have noted for various components of Nymaim [4], the configuration data is stored in an encrypted and, in some cases,
aPLib-compressed format.

The configuration data consists of a binary structure composed of multiple config components or chunks. Each data component has a
recognizable pattern that is structured in the following format:

struct CONFIG_LINE {

DWORD     opcode;

DWORD     params_length;

byte   params[params_length];

}

Upon further analysis, we found that the configuration is compiled bytecode-like data that runs in a custom virtual machine environment inside
Nymaim. The config has its own CODE and DATA sections, stack, local variables, registers, conditional cases, procedures, and API calls.

Additionally, the config parser includes a built-in integrity check of the params data, such that on initialization, the structure outlined above is
expanded in memory to four parameters:

struct CONFIG_LINE_PARSED {

DWORD     opcode;

DWORD     crc;

DWORD     params_length;

byte   params[params_length];

}

The integrity check uses a checksum algorithm that is widely used in the malware and this is its implementation:

def crc(data, data_len):

delta = 0x9AF598DC

crc = 0

for i in range(0, data_len // 4):

crc += struct.unpack_from("<L", data, i * 4)[0]

crc  += data_len

crc  += delta

return crc & 0xFFFFFFFF


-----

e st e t es o t e co g co ta t e co p e t esta p, e s o, a d p ese t t e e p at o date t oug t e tua ac e
skips these entries, they allow us to precisely date each sample from the day it was first distributed to the day on which the campaign ended.

The virtual machine parses the rest of the config file line by line from top to bottom, first reading the code section and then reading the data
section at the bottom of the file.

_Config execution_

As part of the virtual machine, the config interpreter can use its own stack and local variables, along with six general purpose registers.
Additionally there is designated space for instruction pointers and flags used by the IF-THEN-GOTO code and API/procedure results.

The config interpreter running on the virtual machine can communicate with other parts of the Nymaim code using a structure holding initial
data, which includes:

IsAdmin flag;
System version from a OSVERSIONINFOEXW structure;
SubAuthID;
Locale obtained by GetLocaleInfoA;
Pointer to the PEB;
Event handles;
Many additional flags;

In the samples we analyzed, the interpreter did not necessarily use all of these parameters. However they are all accessible from the config's
code.

The interpreter itself uses a limited number of basic code logic instructions, including flexible variable and register assignments represented in
pseudocode below:

// &ADDR:**** is the addressing, line by line of the config code

// SP_00 to SP_** are represented as stack pointers

// R0 to R5 are general purpose registers

// Additionally local variables decompiled as LOC_** can be used

&ADDR:0003  SP_00 = 0xFFFFFFFF; // immediate value to stack pointer assignment

&ADDR:0004  SP_04 = 0x00000000;

&ADDR:0005  SP_08 = 0x00000002;

&ADDR:0006  SP_0C = 0x00000004;

&ADDR:0007  SP_10 = 0x00000008;

&ADDR:0008  SP_14 = 0x0000000C;

&ADDR:0009  SP_18 = 0x00000010;

...

&ADDR:0017  R0 = &CPU; // pointer to the CPU data to stack pointer assignment

&ADDR:0018  R1 = 0x0000003C; // immediate value to register assignment

&ADDR:0019  R2 = 0x00000004;

&ADDR:001A  R3 = &SP_04; // stack pointer to register assignment

&ADDR:001B  R4 = 0x00000000;

&ADDR:001C  R5 = 0x00000004;

Data initialization for the next stage, using labels as delimiters, is shown below:

&ADDR:006D  InitData(start=&ADDR:007A, end=&ADDR:0081);

...

&ADDR:0079  LABEL_79:


-----

&ADDR:0082  LABEL_82:

TEST and IF-THEN-GOTO instructions for conditional branching:

&ADDR:0021  TEST &SP_34 == &SP_44;

&ADDR:0022  IF True GOTO LABEL_4B;

...

&ADDR:002D  IF &R0[R1] == &R3[R4] GOTO LABEL_4B;

Procedure calls using entry point LABEL and RET instruction:

&ADDR:001F  CALL PROC_69;

...

&ADDR:0069  PROC_69:

...

&ADDR:006E  RET;

API-like functions can call into other Nymaim code for more complicated jobs as outlined below:

Determine presence of a Environment strings (IsEnvStringSet())
Determine presence of certain processes running (IsProcessRunning())
Terminate config code execution (Exit())
Signaling events created by Nymaim (SignalEvent())
Sending debug messages to Nymaim (DebugMessage())
Detecting sandboxing and debugging environment (IsDebugged())

Upon further analysis, we were able to decode the checksums for the following processes:

updatesrv.exe
vsserv.exe
pchooklaunch32.exe
bdagent.exe
seccenter.exe
aswidsagenta.exe
avastui.exe
avastsvc.exe

All of these point to executables associated with antivirus applications, suggesting that IsProcessRunning() is used to detect installed AV
utilities.

The virtual machine uses IsDebugged() for anti-debugging checks, looking for blacklisted items associated with research environments:

MAC addresses associated with virtual machine platform vendors VmWare, Dell, PCS Computer Systems GmbH, Microsoft Corporation,
Parallels, and Xensource.
Loaded libraries "dbghelp.dll" and "SbieDll.dll" (parts of Debugging Tools For Windows and Sandboxie).
User names "currentuser" and "sandbox" along with computer names including "sandbox"

Nymaim does not appear to currently use the DebugMessage() function, but passes the argument to the two occurrences of this API call in
plaintext:

"own inside started" // on stage 1 initialization
"no known av detected" // self explanatory

_Typical decompiled configuration_

With this information, we were able to decompile Nymaim's config bytecode to a more human-readable pseudocode script. For reference, a
complete implementation of the decompiler that generates the following output is available here [6].

// VM &CPU @ B2564545

// VM &TIME @ 06C742A3


-----

// & G @ 58 8305

&ADDR:0000  // compile timestamp: 2018-11-20T16:36:01.263625

&ADDR:0001  // version: 2.1.20.21

&ADDR:0002  // expiration date: 23 November 2018

&ADDR:0003  SP_00 = 0xFFFFFFFF;

&ADDR:0004  SP_04 = 0x00000000;

&ADDR:0005  SP_08 = 0x00000002;

&ADDR:0006  SP_0C = 0x00000004;

&ADDR:0007  SP_10 = 0x00000008;

&ADDR:0008  SP_14 = 0x0000000C;

&ADDR:0009  SP_18 = 0x00000010;

&ADDR:000A  SP_1C = &SP_00;

&ADDR:000B  SP_20 = &SP_04;

&ADDR:000C  SP_24 = &SP_0C;

&ADDR:000D  SP_28 = &SP_10;

&ADDR:000E  SP_2C = &SP_14;

&ADDR:000F  SP_30 = &SP_18;

&ADDR:0010  SP_34 = &FLAG;

&ADDR:0011  SP_38 = 0x00000000;

&ADDR:0012  SP_3C = 0x0DDD766C;

&ADDR:0013  SP_40 = 0x0CD874EC;

&ADDR:0014  SP_44 = &SP_3C;

&ADDR:0015  SP_48 = &SP_40;

&ADDR:0016  InitData(start=&ADDR:0084, end=&ADDR:0091);

&ADDR:0017  R0 = &CPU;

&ADDR:0018  R1 = 0x0000003C;

&ADDR:0019  R2 = 0x00000004;

&ADDR:001A  R3 = &SP_04;

&ADDR:001B  R4 = 0x00000000;

&ADDR:001C  R5 = 0x00000004;

&ADDR:001D  IF &R0[R1] == &R3[R4] GOTO LABEL_5F;

&ADDR:001E  DebugMessage("own inside started"); // not processed in any way

&ADDR:001F  CALL PROC_69;

&ADDR:0020  IsProcessRunning(0x9BC217C0); // Enabled

&ADDR:0021  TEST &SP_34 == &SP_44;

&ADDR:0022  IF True GOTO LABEL_4B;

&ADDR:0023  IsEnvStringSet(0xDD076E3D);


-----

& 00 S &S _3 &S _ ;

&ADDR:0025  IF True GOTO LABEL_4B;

&ADDR:0026  IsDebugged(TODO flags); // 00000000 00000001 0000000F 00000000

&ADDR:0027  R0 = &FLAG;

&ADDR:0028  R1 = 0x00000010;

&ADDR:0029  R2 = 0x00000004;

&ADDR:002A  R3 = &SP_04;

&ADDR:002B  R4 = 0x00000000;

&ADDR:002C  R5 = 0x00000004;

&ADDR:002D  IF &R0[R1] == &R3[R4] GOTO LABEL_4B;

&ADDR:002E  R0 = &FLAG;

&ADDR:002F  R1 = 0x00000004;

&ADDR:0030  R2 = 0x00000004;

&ADDR:0031  R3 = &SP_04;

&ADDR:0032  R4 = 0x00000000;

&ADDR:0033  R5 = 0x00000004;

&ADDR:0034  IF &R0[R1] == &R3[R4] GOTO LABEL_66;

&ADDR:0035  R0 = &FLAG;

&ADDR:0036  R1 = 0x00000008;

&ADDR:0037  R2 = 0x00000004;

&ADDR:0038  R3 = &SP_04;

&ADDR:0039  R4 = 0x00000000;

&ADDR:003A  R5 = 0x00000004;

&ADDR:003B  IF &R0[R1] == &R3[R4] GOTO LABEL_66;

&ADDR:003C  SP_4C = 0xFFFFFFF7;

&ADDR:003D  R0 = &FLAG;

&ADDR:003E  R1 = 0x0000000C;

&ADDR:003F  R2 = 0x00000004;

&ADDR:0040  R3 = &SP_4C;

&ADDR:0041  R4 = 0x00000000;

&ADDR:0042  R5 = 0x00000004;

&ADDR:0043  LOC_00 = &R0[R1] & &R3[R4];

&ADDR:0044  R0 = &LOC_00;

&ADDR:0045  R1 = 0x00000000;

&ADDR:0046  R2 = 0x00000004;

&ADDR:0047  R3 = &SP_04;

&ADDR:0048  R4 = 0x00000000;


-----

& 00 9 5 0 0000000 ;

&ADDR:004A  IF &R0[R1] == &R3[R4] GOTO LABEL_66;

&ADDR:004B  LABEL_4B:

&ADDR:004C  IsProcessRunning("updatesrv.exe", "vsserv.exe", "pchooklaunch32.exe", "bdagent.exe", "seccenter.exe"); // Enabled

&ADDR:004D  TEST &SP_34 == &SP_44;

&ADDR:004E  IF True GOTO LABEL_5D;

&ADDR:004F  R0 = 0x00000100;

&ADDR:0050  R1 = 0x00000400;

&ADDR:0051  R2 = 0x00000000;

&ADDR:0052  R3 = 0x00000003;

&ADDR:0053  // TODO ID:7DD14382 DATA:b'00000000'

&ADDR:0054  TEST &SP_34 == &SP_44;

&ADDR:0055  IF True GOTO LABEL_5D;

&ADDR:0056  R0 = &FLAG;

&ADDR:0057  R1 = 0x00000004;

&ADDR:0058  R2 = 0x00000004;

&ADDR:0059  R3 = &SP_04;

&ADDR:005A  R4 = 0x00000000;

&ADDR:005B  R5 = 0x00000004;

&ADDR:005C  IF &R0[R1] == &R3[R4] GOTO LABEL_63;

&ADDR:005D  LABEL_5D:

&ADDR:005E  GOTO LABEL_61;

&ADDR:005F  LABEL_5F:

&ADDR:0060  CALL PROC_69;

&ADDR:0061  LABEL_61:

&ADDR:0062  Exit(0); // Exit process

&ADDR:0063  LABEL_63:

&ADDR:0064  SignalEvent(); // pre-process termination

&ADDR:0065  Exit(0); // Exit process

&ADDR:0066  LABEL_66:

&ADDR:0067  SignalEvent(); // pre-process termination

&ADDR:0068  Exit(0); // Exit process

&ADDR:0069  PROC_69:

&ADDR:006A  IsProcessRunning("aswidsagenta.exe", "avastui.exe", "avastsvc.exe"); // Enabled

&ADDR:006B  TEST &SP_34 == &SP_44;

&ADDR:006C  IF True GOTO LABEL_6F;

&ADDR:006D  InitData(start=&ADDR:007A, end=&ADDR:0081);


-----

& 006 ;

&ADDR:006F  LABEL_6F:

&ADDR:0070  DebugMessage("no known av detected"); // not processed in any way

&ADDR:0071  InitData(start=&ADDR:007A, end=&ADDR:0081);

&ADDR:0072  RET;

&ADDR:0073  LABEL_73:

&ADDR:0074  DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000, 0x00000000,
0x000000C8, 0x00000064];

&ADDR:0075  DATA_97AC42CB = [0x00000000];

&ADDR:0076  DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000,
"*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome
%!rndl_0_0_2_1_3%';$'#*';!'0;0;%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*win
%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'"];

&ADDR:0077  DATA_D3955141 = [0x00000001, 0x00000000, "%!system32W6432%\rundll32.exe; -%!rndl_0_0_2_1_3%
%!rndl_0_0_2_3_8%.dll"];

&ADDR:0078  LABEL_78:

&ADDR:0079  LABEL_79:

&ADDR:007A  DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000, 0x00000000,
0x000000C8, 0x00000064];

&ADDR:007B  DATA_97AC42CB = [0x00000001];

&ADDR:007C  DATA_BB98FAB8 = [0x00000400];

&ADDR:007D  DATA_3FEF1B94 = [0x00000004];

&ADDR:007E  DATA_PAYLOAD_DROPPATH = "%SystemRoot%#*";

&ADDR:007F  DATA_PAYLOAD_DROPFILE = "#!#*flashutil32#*;#!#*flashplayerpl#*;#!#*windowslivemail#*";

&ADDR:0080  DATA_PROCLIST_EXCLUDE_EXT = ["iexplore.exe", "firefox.exe", "chrome.exe", "winword.exe", "outlook.exe", "excel.exe",
"powerpnt.exe", "iexplore.exe", "firefox.exe", "chrome.exe", "winword.exe", "outlook.exe", "excel.exe", "powerpnt.exe", "acrord32.exe",
"java.exe", "javaw.exe", "regsvr32.exe", "wscript.exe", "cscript.exe", "powershell.exe", "mshta.exe", "certutil.exe", "sqlservr.exe", "opera.exe",
"msaccess.exe", "sysprep.exe", "setupsqm.exe", "cliconfg.exe", "winsat.exe", "mmc.exe", "oobe.exe", "inetmgr.exe", "taskhost.exe",
"inetmgr.exe", "dism.exe", "dismhost.exe", "taskeng.exe", "cmd.exe", "wscript.exe", "cscript.exe", "java.exe", "powershell.exe", "mshta.exe",
"winlogon.exe", "services.exe", "svchost.exe", "spoolsv.exe", "explorer.exe", "explorer.exe", "cmd.exe", "rundll32.exe", "msiexec.exe",
"mspaint.exe", "notepad.exe", "calc.exe", "taskhost.exe", "dwm.exe", "taskmgr.exe", "msnmsgr.exe", 0xF6FE5321, "dllhost.exe",
"runouce.exe", "vds.exe", "mstsc.exe", "mysqld.exe", "onenotem.exe", "dropbox.exe", "conhost.exe", "jusched.exe", "sihost.exe",
"splwow64.exe", "msdt.exe", "onedrive.exe", "skype.exe", "solitaire.exe", "steam.exe"];

&ADDR:0081  DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000,
"*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome
%!rndl_0_0_2_1_3%';$'#*';!'0;0;%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*win
%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'"];

&ADDR:0082  LABEL_82:

&ADDR:0083  LABEL_83:

&ADDR:0084  DATA_8568A01D = [0x00000001, 0x00000001];

&ADDR:0085  DATA_14A8D56E = [0x00, 0x02, 0x00, 0x00, 0xD4, 0x30, 0x37, 0xBF, 0x80, 0x4B, 0x8F, 0xE0, 0xE5, 0xCC, 0x27, 0xE7, 0x23,
0xCF, 0x53, 0x37, 0xB1, 0x46, 0xD8, 0x03, 0xCA, 0xEE, 0x29, 0x4B, 0x66, 0x8A, 0x9A, 0xCA, 0x51, 0xA8, 0x95, 0x81, 0x28, 0x93, 0x01,
0xF9, 0x60, 0x7D, 0x9A, 0x6C, 0xB2, 0x93, 0x15, 0x2B, 0x44, 0xC0, 0x6F, 0x6F, 0xB7, 0x1A, 0xC8, 0x12, 0x52, 0x1A, 0xC7, 0x28, 0x0A,
0x46, 0x0D, 0x2E, 0x84, 0x50, 0x9B, 0xFD, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,


-----

0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00, 0 00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
0x00, 0x01];

&ADDR:0086  DATA_56B437D3 = ["system", "lsass.exe", "smss.exe", "csrss.exe", "wininit.exe", "services.exe", "lsm.exe", "audiodg.exe",
"svchost.exe", "winlogon.exe", "spoolsv.exe", "searchindexer.exe", "msdtc.exe", "searchprotocolhost.exe", "dllhost.exe"];

&ADDR:0087  DATA_DBED7DFB = ["system", "lsass.exe", "smss.exe", "csrss.exe", "wininit.exe", "services.exe", "lsm.exe", "audiodg.exe",
"svchost.exe", "winlogon.exe", "spoolsv.exe", "searchindexer.exe", "msdtc.exe", "explorer.exe", "dwm.exe"];

&ADDR:0088  DATA_PROCLIST_EXCLUDE = ["wininit.exe", "csrss.exe", "smss.exe", "avp.exe", "avpui.exe", "avgnt.exe", "avguard.exe",
"sched.exe", "aswidsagenta.exe", "avastsvc.exe", "avastui.exe", "ccsvchst.exe", "avgcsrvx.exe", "avgnsx.exe", "avgrsx.exe", "avgtray.exe",
0x6EEA1E2D, "avgwdsvc.exe", "ekrn.exe", "egui.exe", "msmpeng.exe", "msseces.exe", "mpcmdrun.exe", "psimsvc.exe", "apvxdwin.exe",
"avengine.exe", "pavfnsvr.exe", "pavprsrv.exe", "pavsrvx86.exe", "psctrls.exe", "psksvc.exe", "fpavserver.exe", 0xBAA21E23, "fpwin.exe",
"cmdagent.exe", "cfp.exe", "gdscan.exe", "gdsc.exe", "avktray.exe", "avkservice.exe", "avkproxy.exe", "pctsgui.exe", "pctssvc.exe",
"pctsauxs.exe", "update.exe", "updatesrv.exe", "vsserv.exe", "pchooklaunch32.exe", "bdagent.exe", "seccenter.exe", "mrt.exe",
"mcupdate.exe", "mcagent.exe", "mcmscsvc.exe", "mcnasvc.exe", "mcproxy.exe", "mcsacore.exe", "mcshell.exe", "mcshield.exe",
"mcsysmon.exe", "mpfsrv.exe", "msksrver.exe", "udaterui.exe", "engineserver.exe", "frameworkservice.exe", "engineserver.exe",
"frameworkservice.exe", "mctray.exe", "naprdmgr.exe", "shstat.exe", "vstskmgr.exe", "almon.exe", "alsvc.exe", "savadminservice.exe",
0x12FCC4EB, "savservice.exe", "swi_service.exe", 0xBC6D3196, "protoolbarupdate.exe", "sfctlcom.exe", "tmbmsrv.exe", "tmpfw.exe",
"tmproxy.exe", "tscfplatformcomsvr.exe", 0xAEF84E17, "ufseagnt.exe", 0x3DC44746, 0x13F2ED0D, 0x4B4EA20C, "umxagent.exe",
"umxcfg.exe", "umxpol.exe", "caav.exe", "casc.exe", "cavrid.exe", "ccprovsp.exe", "vetmsg.exe", "vmwaretray.exe", "vmwareuser.exe",
0xBD157242, "vmtoolsd.exe", "wrsa.exe"];

&ADDR:0089  DATA_5DD00BF4 = ["winlogon.exe"];

&ADDR:008A  DATA_87045172 = ["explorer.exe", "dwm.exe", "taskhost.exe", "conhost.exe"];

&ADDR:008B  DATA_0B7EEE53 = [0x00000000];

&ADDR:008C  DATA_FFF28C72 = "zepter.com;carfax.com;";

&ADDR:008D  DATA_GOOGLE_DNS = [0x00000003, timeout_write=8000, timeout_read=8000, 0x00000001, 0x00000002,
"8.8.8.8:53;8.8.4.4:53"];

&ADDR:008E  DATA_992CC894 = [0x00000000, 0x00000001, 0x00000001, 0x00000002, 0x00000001, 0x00000001, 0x00000000,
0x00000000, 0x00000000, 0x00000000, "gx3Gd93kdXdjd]dGdg573"];

&ADDR:008F  DATA_8DB1E244 = [0x00000001, 0x18482642, 0x78643587, 0x87568289, 0x00000010];

&ADDR:0090  DATA_C9393B40 = "~[duewosgems.com];fiosbewos.com;";

&ADDR:0091  DATA_F50DF89A = [0x00000019, 0x000493E0, 0x00000001, 0x00000001, "~

[duewosgems.com]/pkbn74is/index.php;fiosbewos.com/pkbn74is/index.php;"];

&ADDR:0092  LABEL_92:

&ADDR:0093  END;

**Conclusion**

Nymaim is one of a number of downloaders appearing regularly in the wild, reflecting the trend of installing persistent malware on victim
devices. Although Nymaim has a long history as a downloader and earlier incarnations as ransomware and a desktop locker, little is known
about its ownership or availability to other threat actors. We were, however, able to decode the unique config, providing additional insight for
defenders and potential victims of increasingly frequent Nymaim campaigns.

**References**

[1] [https://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/](https://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/)

[2] [https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0](https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0)

[3] [https://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/](https://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/)

[4] [http://www.eset.com/int/about/press/articles/article/nymaim-ransomware-still-active-finding-new-infection-vector-to-spread-black-hat-seo/](http://www.eset.com/int/about/press/articles/article/nymaim-ransomware-still-active-finding-new-infection-vector-to-spread-black-hat-seo/)

[5] [https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Nymaim.F#tab=2](https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Nymaim.F#tab=2)

[6] [https://github.com/EmergingThreats/threatresearch/blob/master/Nymaim/config_decompiler.py](https://github.com/EmergingThreats/threatresearch/blob/master/Nymaim/config_decompiler.py)


-----

**d cato s o Co** **p o** **se ( OCs)**

**IOC** **IOC Type** **Description**

76b855f4822c0b26e098d7395723b31ad73c1606aebdb972380ef6c9f0bb4936 SHA256 Nymaim sample (2019)

8cb27fca6cf68888126a82c304083ebd78bba2b9f6fb241d2a177a3a80f12e8a SHA256 Nymaim sample (2019)

0f115ff9d7ecbe2b4872a18c14e97d6071a61435690729c9aa741cecc8982383 SHA256 Nymaim sample (2019)

7541c32d82b17e9d3a993f6721a1b84221dfbee6cbe7f060413a118c48ae64ee SHA256 Nymaim sample (2019)

43c19be78773a14196abb4ecb6436b54729373eacf84da7a9a2c3592ad960cae SHA256 Nymaim sample (2019)

Subscribe to the Proofpoint Blog


-----