{
	"id": "b66a3545-9526-4720-bffe-9eb8bddc2005",
	"created_at": "2026-04-06T00:10:57.288735Z",
	"updated_at": "2026-04-10T03:20:27.886893Z",
	"deleted_at": null,
	"sha1_hash": "a49aa6e5e27e85e61c2421c3d22ad6f3d11780d4",
	"title": "Jimmy Nukebot: from Neutrino with love",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 685462,
	"plain_text": "Jimmy Nukebot: from Neutrino with love\r\nBy Sergey Yunakovsky\r\nPublished: 2017-08-29 · Archived: 2026-04-05 14:10:40 UTC\r\n“You FOOL! This isn’t even my final form!”\r\nIn one of our previous articles, we analyzed the NeutrinoPOS banker as an example of a constantly evolving\r\nmalware family. A week after publication, this Neutrino modification delivered up a new malicious program\r\nclassified by Kaspersky Lab as Trojan-Banker.Win32.Jimmy.\r\nNeutrinoPOS vs Jimmy\r\nThe authors seriously rewrote the Trojan – the main body was restructured, the functions were moved to the\r\nmodules. One small difference that immediately stands out is in the calculation of checksums from the names of\r\nAPI functions/libraries and strings. In the first case, the checksums are used to find the necessary API calls; in the\r\nsecond case, for a comparison of strings (commands, process names). This approach makes static analysis much\r\nmore complicated: for example, to identify which detected process halts the Trojan operation, it’s necessary to\r\ncalculate the checksums from a huge list of strings, or to bruteforce the symbols in a certain length range.\r\nNeutrinoPOS uses two different algorithms to calculate checksums for the names of API calls, libraries and for the\r\nstrings. They look like this:\r\nRestored NeutrinoPOS code to calculate checksums for arbitrary strings and for API calls\r\nIn Jimmy, only one algorithm is used for these purposes – a slight modification of CalcCS from NeutrinoPOS. The\r\nfinal XOR with the fixed two-byte value was added to the pseudo-random generator.\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 1 of 10\n\nCalculation of checksums in Jimmy\r\nThe Trojan has completely lost the functionality for stealing bank card data from the memory of an infected\r\ndevice; now, its task is limited solely to receiving modules from a remote node and installing them into the\r\nsystem. The scan of the infected host has been extended: in addition to the checks inherited from Neutrino, the\r\nTrojan also examines its own name – it should not be a checksum in the MD5, SHA-1, SHA-256 format. Or,\r\nalternatively, it should contain the ‘.’ symbol, indicating a subsequent extension (for example, ‘exe’). Plus, by\r\nusing the assembly command cpuid, the Trojan gets information about the processor and compares it with the list\r\nof checksums “embedded” into it.\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 2 of 10\n\nAdditional Jimmy checks\r\nThe communication protocol with the C\u0026C server also remains unchanged: the same exchange of “enter”,\r\n“success” in base64 commands is used, but now the answer is encrypted with RC4 beforehand and the key\r\nhardcoded in the body of the Trojan (a8A5QfZk3r7FHy9o6C2WpBc44TiXg93Y for the sample in question). The\r\ncode for extracting the encryption key is here.\r\nAnalysis of modules\r\nAs mentioned above, the main body of the Trojan only receives modules – these contain the payload. We managed\r\nto get hold of new modules for web-injects, mining and a large number of updates for the main module in various\r\ndroppers.\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 3 of 10\n\nThe miner is designed to extract the Monero currency (XMR). In the module code there is an identifier associated\r\nwith a wallet for which the crypto currency is extracted, as well as the address of the pool. Monero is very popular\r\nwith virus writers – it’s mined by SambaCry, which we described in June and Trojan.Win32.DiscordiaMiner that\r\nappeared shortly afterwards. By the way, the source code of the latter was made publicly available by the author.\r\nThe reason for doing so was the same that prompted the author of NukeBot to do likewise: an attempt to stifle\r\ndisagreements in forums and to avoid accusations of fraud (the repository with the code is currently unavailable).\r\nThanks to the identifier/pool pair, we got statistics on all the nodes working for this wallet. The start date of\r\nmining – 4 July – coincides with the compilation of the main body of the first discovered sample and is extremely\r\nclose to the date of compilation of the dropper (06 July 13:14:55 2017 UTC), the main body (02 July 14:19:03\r\n2017 UTC) and the modules for web injects (July 02, 14:18:39 2017 UTC). So it’s safe to say that Jimmy began to\r\nproliferate in early July.\r\nIt’s worth noting that the amount of money in the wallet is small – only ~ 0.55 XMR, which as of 21 August is\r\nonly $45. Judging by the general decline and absence of payments, the authors quickly abandoned the use of\r\nminers or changed their wallet.\r\nThe web-inject modules are so called for their primary intended use, although they are also able to perform\r\nfunctions similar to those in NeutrinoPOS, i.e., take screenshots, set up proxy servers, etc. These modules are\r\ndistributed in the form of libraries and their functions vary depending on the name of the process in which they are\r\nlocated. As you can see from the screenshot below, in three cases out of five the ChromeHook procedure is called\r\nfor browsers. This is not surprising, considering the large number of Chrome-based browsers. Unfortunately, it\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 4 of 10\n\nwas possible to restore the name from the checksum for only one of them – chrome.exe (0xFC0C7619).\r\nChecksums are calculated using the algorithm described in the previous section.\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 5 of 10\n\nRestored code of the main procedure in the module of Jimmy web injects\r\nLike NeutrinoPOS, Jimmy stores a number of parameters in the registry. In the sample in question, the data is in\r\nthe HKEY_CURRENT_USER\\Software\\c2Fsb21vbkBleHBsb2l0Lmlt branch. For example, this is where the\r\nweb-inject module receives the address of the currently used DNS server from – this is critical when using\r\nNamCoin-like addresses as a C\u0026C server.\r\nFor Firefox and Internet Explorer, the function hook is performed by the straightforward substitution of the called\r\nfunction addresses in the loaded libraries (etc. InternetConnectW / PR_Read). With Chrome, things are a bit more\r\ncomplicated – the necessary libraries are linked statically. But the subsequent substitution of data using web\r\ninjects coincides.\r\nRestored web-inject processing code\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 6 of 10\n\nSo far we have only managed to get a test sample of the web injects (in the screenshot below); in the future the\r\nTrojan will most likely acquire ‘combat’ versions. Here you can find examples of web injects and the keys used.\r\nTo recap, decryption entails decoding the string using base64 and then decrypting with RC4.\r\nRequest from Jimmy for web injects\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 7 of 10\n\nExample of the Jimmy test web injects\r\nIn the pictures below several procedures in the source code of NukeBot and the restored code of Jimmy are\r\ncompared. It can clearly be seen that they completely coincide.\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 8 of 10\n\nConclusion\r\nIn isolation from the previous modifications, the newly created Jimmy would not be of much interest to\r\nresearchers. However, in this context, it is an excellent example of what can be done with the source code of a\r\nquality Trojan, namely, flexibly adapt to the goals and tasks set before a botnet to take advantage of a new source.\r\nMD5\r\nDroppers\r\nc989d501460a8e8e381b81b807ccbe90\r\nE584C6E999A509AC21583D9543492EF4\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 9 of 10\n\n2e55bd0d409bf9658887e02a7c578019\r\nbccd77cf0269da7dc914885cda626c6c\r\n86d7d3b50e4dc4181c28ccbaafb89ab3\r\nMain body\r\n174256b5f1ee80be1b847d428c5180e2\r\n336841d91c37b07134adba135828e66e\r\nFE9A46CEFDB41095F10D459BB9943682\r\nModules\r\n380356b8297893b4fc9273d42f15e9db\r\n2fa18456e14bea53ec0d7c898d94043b\r\n7040b5ac432064780a17024ab0a3792a\r\n629a4d2b79abe48fb21afd625f674354\r\n05846839DAA851006B119A2B4F9687BF\r\n2362E3BEBAD1089DDFE40C8996B0BF45\r\n380356B8297893B4FC9273D42F15E9DB\r\n4042C27F082F48E253BE66528938640C\r\n443831A3057E9A62455D4BD3C7E04144\r\n4762B90C0305A2681CE42B9D05B9E741\r\nCB01E3A0799D4C318F74E439CCE0413F\r\nD9F58167A9A22BD1FA9AA0F991AEAF11\r\nE991936E09697DE8495D05B484F3A3E2\r\nSource: https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nhttps://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/"
	],
	"report_names": [
		"81667"
	],
	"threat_actors": [],
	"ts_created_at": 1775434257,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a49aa6e5e27e85e61c2421c3d22ad6f3d11780d4.pdf",
		"text": "https://archive.orkl.eu/a49aa6e5e27e85e61c2421c3d22ad6f3d11780d4.txt",
		"img": "https://archive.orkl.eu/a49aa6e5e27e85e61c2421c3d22ad6f3d11780d4.jpg"
	}
}