{
	"id": "4a2c96a2-cc10-4cf3-9ad2-c7ed85d2f6de",
	"created_at": "2026-04-06T00:10:08.455869Z",
	"updated_at": "2026-04-10T13:11:58.969954Z",
	"deleted_at": null,
	"sha1_hash": "b09e5b182798f44c98ea4251bcbe74136ca610d4",
	"title": "Nymaim config decoded | Proofpoint US",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 73077,
	"plain_text": "Nymaim config decoded | Proofpoint US\r\nBy March 12, 2019 Georgi Mladenov\r\nPublished: 2019-03-12 · Archived: 2026-04-02 12:33:13 UTC\r\nOverview\r\nFirst documented in 2013 [1], Nymaim was originally identified as both a first-stage downloader and second-stage locking\r\nmalware. Primarily distributed via the Blackhole exploit kit, most users found out they were infected because of the screen\r\nlock that demanded varying ransoms. In 2016, we documented distribution of the Ursnif banking Trojan via email\r\ncampaigns and the presence of webinjects within Nymaim itself [2]. More recently, Nymaim has evolved into an even more\r\nrobust downloader that includes a range of information stealing and system profiling capabilities. This incarnation of\r\nNymaim has appeared in both global campaigns as well as attacks targeting North America, Germany, Italy, and Poland. In\r\nthis respect, Nymaim is following global malware trends, with a focus on persistent, non-destructive infection to collect\r\ninformation long-term and flexibly download additional malware of the threat actor’s choosing.\r\nDespite its long history and increasing incidence of spreading via email, many aspects of Nymaim are not well understood,\r\nincluding its ownership and availability to groups of threat actors. Moreover, the configuration file format outlined in this\r\nblog and the config’s interaction with a virtual machine running within the malware itself appears to be unique. While\r\nCERT.pl described the configuration encryption algorithms previously [3], recent samples now employ a bytecode language\r\nwith its own logic that is interpreted by the malware, running in a virtual machine managed by Nymaim. Technical details of\r\nthe config file and its interaction with the Nymaim interpreter are outlined below.\r\nAnalysis\r\nConfig parsing\r\nAs other researchers have noted for various components of  Nymaim [4], the configuration data is stored in an encrypted\r\nand, in some cases, aPLib-compressed format.\r\nThe configuration data consists of a binary structure composed of multiple config components or chunks. Each data\r\ncomponent has a recognizable pattern that is structured in the following format:\r\nstruct CONFIG_LINE {\r\n            DWORD          opcode;\r\n            DWORD          params_length;\r\n            byte     params[params_length];\r\n}\r\nUpon further analysis, we found that the configuration is compiled bytecode-like data that runs in a custom virtual machine\r\nenvironment inside Nymaim. The config has its own CODE and DATA sections, stack, local variables, registers, conditional\r\ncases, procedures, and API calls.\r\nAdditionally, the config parser includes a built-in integrity check of the params data, such that on initialization, the structure\r\noutlined above is expanded in memory to four parameters:\r\nstruct CONFIG_LINE_PARSED {\r\n            DWORD          opcode;\r\n            DWORD          crc;\r\n            DWORD          params_length;\r\n            byte     params[params_length];\r\n}\r\nThe integrity check uses a checksum algorithm that is widely used in the malware and this is its implementation:\r\ndef crc(data, data_len):\r\n    delta = 0x9AF598DC\r\n    crc = 0\r\n    for i in range(0, data_len // 4):\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 1 of 9\n\ncrc += struct.unpack_from(\"\u003cL\", data, i * 4)[0]\r\n             crc    += data_len\r\n             crc    += delta\r\n    return crc \u0026 0xFFFFFFFF\r\nThe first entries from the config contain the compile timestamp, version, and -- if present -- the expiration date. Although the\r\nvirtual machine skips these entries, they allow us to precisely date each sample from the day it was first distributed to the\r\nday on which the campaign ended.\r\nThe virtual machine parses the rest of the config file line by line from top to bottom, first reading the code section and then\r\nreading the data section at the bottom of the file.\r\nConfig execution\r\nAs part of the virtual machine, the config interpreter can use its own stack and local variables, along with six general\r\npurpose registers. Additionally there is designated space for instruction pointers and flags used by the IF-THEN-GOTO code\r\nand API/procedure results.\r\nThe config interpreter running on the virtual machine can communicate with other parts of the Nymaim code using a\r\nstructure holding initial data, which includes:\r\nIsAdmin flag;\r\nSystem version from a OSVERSIONINFOEXW structure;\r\nSubAuthID;\r\nLocale obtained by GetLocaleInfoA;\r\nPointer to the PEB;\r\nEvent handles;\r\nMany additional flags;\r\nIn the samples we analyzed, the interpreter did not necessarily use all of these parameters. However they are all accessible\r\nfrom the config's code.\r\nThe interpreter itself uses a limited number of basic code logic instructions, including flexible variable and register\r\nassignments represented in pseudocode below:\r\n// \u0026ADDR:**** is the addressing, line by line of the config code\r\n// SP_00 to SP_** are represented as stack pointers\r\n// R0 to R5 are general purpose registers\r\n// Additionally local variables decompiled as LOC_** can be used\r\n\u0026ADDR:0003   SP_00 = 0xFFFFFFFF; // immediate value to stack pointer assignment\r\n\u0026ADDR:0004   SP_04 = 0x00000000;\r\n\u0026ADDR:0005   SP_08 = 0x00000002;\r\n\u0026ADDR:0006   SP_0C = 0x00000004;\r\n\u0026ADDR:0007   SP_10 = 0x00000008;\r\n\u0026ADDR:0008   SP_14 = 0x0000000C;\r\n\u0026ADDR:0009   SP_18 = 0x00000010;\r\n...\r\n\u0026ADDR:0017   R0 = \u0026CPU; // pointer to the CPU data to stack pointer assignment\r\n\u0026ADDR:0018   R1 = 0x0000003C;  // immediate value to register assignment\r\n\u0026ADDR:0019   R2 = 0x00000004;\r\n\u0026ADDR:001A   R3 = \u0026SP_04;  // stack pointer to register assignment\r\n\u0026ADDR:001B   R4 = 0x00000000;\r\n\u0026ADDR:001C   R5 = 0x00000004;\r\nData initialization for the next stage, using labels as delimiters, is shown below:\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 2 of 9\n\n\u0026ADDR:006D   InitData(start=\u0026ADDR:007A, end=\u0026ADDR:0081);\r\n...\r\n\u0026ADDR:0079   LABEL_79:\r\n...\r\n\u0026ADDR:0082   LABEL_82:\r\nTEST and IF-THEN-GOTO instructions for conditional branching:\r\n\u0026ADDR:0021   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:0022   IF True GOTO LABEL_4B;\r\n...\r\n\u0026ADDR:002D   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_4B;\r\nProcedure calls using entry point LABEL and RET instruction:\r\n\u0026ADDR:001F   CALL PROC_69;\r\n...\r\n\u0026ADDR:0069   PROC_69:\r\n...\r\n\u0026ADDR:006E   RET;\r\nAPI-like functions can call into other Nymaim code for more complicated jobs as outlined below:\r\nDetermine presence of a Environment strings (IsEnvStringSet())\r\nDetermine presence of certain processes running (IsProcessRunning())\r\nTerminate config code execution (Exit())\r\nSignaling events created by Nymaim (SignalEvent())\r\nSending debug messages to Nymaim (DebugMessage())\r\nDetecting sandboxing and debugging environment (IsDebugged())\r\nUpon further analysis, we were able to decode the checksums for the following processes:\r\nupdatesrv.exe\r\nvsserv.exe\r\npchooklaunch32.exe\r\nbdagent.exe\r\nseccenter.exe\r\naswidsagenta.exe\r\navastui.exe\r\navastsvc.exe\r\nAll of these point to executables associated with antivirus applications, suggesting that IsProcessRunning() is used to detect\r\ninstalled AV utilities.\r\nThe virtual machine uses IsDebugged() for anti-debugging checks, looking for  blacklisted items associated with research\r\nenvironments:\r\nMAC addresses associated with  virtual machine platform vendors VmWare, Dell, PCS Computer Systems GmbH,\r\nMicrosoft Corporation, Parallels, and Xensource.\r\nLoaded libraries \"dbghelp.dll\" and \"SbieDll.dll\" (parts of Debugging Tools For Windows and Sandboxie).\r\nUser names \"currentuser\" and \"sandbox\" along with computer names including \"sandbox\"\r\nNymaim does not appear to currently use the DebugMessage() function, but passes the argument to the two occurrences of\r\nthis API call in plaintext:\r\n\"own inside started\" // on stage 1 initialization\r\n\"no known av detected\" // self explanatory\r\nTypical decompiled configuration\r\nWith this information, we were able to decompile Nymaim's config bytecode to a more human-readable pseudocode script.\r\nFor reference, a complete implementation of the decompiler that generates the following output is available here [6].\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 3 of 9\n\n// VM \u0026CPU @ B2564545\r\n// VM \u0026TIME @ 06C742A3\r\n// VM \u0026FLAG @ 5878305F\r\n\u0026ADDR:0000   // compile timestamp: 2018-11-20T16:36:01.263625\r\n\u0026ADDR:0001   // version: 2.1.20.21\r\n\u0026ADDR:0002   // expiration date: 23 November 2018\r\n\u0026ADDR:0003   SP_00 = 0xFFFFFFFF;\r\n\u0026ADDR:0004   SP_04 = 0x00000000;\r\n\u0026ADDR:0005   SP_08 = 0x00000002;\r\n\u0026ADDR:0006   SP_0C = 0x00000004;\r\n\u0026ADDR:0007   SP_10 = 0x00000008;\r\n\u0026ADDR:0008   SP_14 = 0x0000000C;\r\n\u0026ADDR:0009   SP_18 = 0x00000010;\r\n\u0026ADDR:000A   SP_1C = \u0026SP_00;\r\n\u0026ADDR:000B   SP_20 = \u0026SP_04;\r\n\u0026ADDR:000C   SP_24 = \u0026SP_0C;\r\n\u0026ADDR:000D   SP_28 = \u0026SP_10;\r\n\u0026ADDR:000E   SP_2C = \u0026SP_14;\r\n\u0026ADDR:000F   SP_30 = \u0026SP_18;\r\n\u0026ADDR:0010   SP_34 = \u0026FLAG;\r\n\u0026ADDR:0011   SP_38 = 0x00000000;\r\n\u0026ADDR:0012   SP_3C = 0x0DDD766C;\r\n\u0026ADDR:0013   SP_40 = 0x0CD874EC;\r\n\u0026ADDR:0014   SP_44 = \u0026SP_3C;\r\n\u0026ADDR:0015   SP_48 = \u0026SP_40;\r\n\u0026ADDR:0016   InitData(start=\u0026ADDR:0084, end=\u0026ADDR:0091);\r\n\u0026ADDR:0017   R0 = \u0026CPU;\r\n\u0026ADDR:0018   R1 = 0x0000003C;\r\n\u0026ADDR:0019   R2 = 0x00000004;\r\n\u0026ADDR:001A   R3 = \u0026SP_04;\r\n\u0026ADDR:001B   R4 = 0x00000000;\r\n\u0026ADDR:001C   R5 = 0x00000004;\r\n\u0026ADDR:001D   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_5F;\r\n\u0026ADDR:001E   DebugMessage(\"own inside started\"); // not processed in any way\r\n\u0026ADDR:001F   CALL PROC_69;\r\n\u0026ADDR:0020   IsProcessRunning(0x9BC217C0); // Enabled\r\n\u0026ADDR:0021   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:0022   IF True GOTO LABEL_4B;\r\n\u0026ADDR:0023   IsEnvStringSet(0xDD076E3D);\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 4 of 9\n\n\u0026ADDR:0024   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:0025   IF True GOTO LABEL_4B;\r\n\u0026ADDR:0026   IsDebugged(TODO flags); // 00000000 00000001 0000000F 00000000\r\n\u0026ADDR:0027   R0 = \u0026FLAG;\r\n\u0026ADDR:0028   R1 = 0x00000010;\r\n\u0026ADDR:0029   R2 = 0x00000004;\r\n\u0026ADDR:002A   R3 = \u0026SP_04;\r\n\u0026ADDR:002B   R4 = 0x00000000;\r\n\u0026ADDR:002C   R5 = 0x00000004;\r\n\u0026ADDR:002D   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_4B;\r\n\u0026ADDR:002E   R0 = \u0026FLAG;\r\n\u0026ADDR:002F   R1 = 0x00000004;\r\n\u0026ADDR:0030   R2 = 0x00000004;\r\n\u0026ADDR:0031   R3 = \u0026SP_04;\r\n\u0026ADDR:0032   R4 = 0x00000000;\r\n\u0026ADDR:0033   R5 = 0x00000004;\r\n\u0026ADDR:0034   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_66;\r\n\u0026ADDR:0035   R0 = \u0026FLAG;\r\n\u0026ADDR:0036   R1 = 0x00000008;\r\n\u0026ADDR:0037   R2 = 0x00000004;\r\n\u0026ADDR:0038   R3 = \u0026SP_04;\r\n\u0026ADDR:0039   R4 = 0x00000000;\r\n\u0026ADDR:003A   R5 = 0x00000004;\r\n\u0026ADDR:003B   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_66;\r\n\u0026ADDR:003C   SP_4C = 0xFFFFFFF7;\r\n\u0026ADDR:003D   R0 = \u0026FLAG;\r\n\u0026ADDR:003E   R1 = 0x0000000C;\r\n\u0026ADDR:003F   R2 = 0x00000004;\r\n\u0026ADDR:0040   R3 = \u0026SP_4C;\r\n\u0026ADDR:0041   R4 = 0x00000000;\r\n\u0026ADDR:0042   R5 = 0x00000004;\r\n\u0026ADDR:0043   LOC_00 = \u0026R0[R1] \u0026 \u0026R3[R4];\r\n\u0026ADDR:0044   R0 = \u0026LOC_00;\r\n\u0026ADDR:0045   R1 = 0x00000000;\r\n\u0026ADDR:0046   R2 = 0x00000004;\r\n\u0026ADDR:0047   R3 = \u0026SP_04;\r\n\u0026ADDR:0048   R4 = 0x00000000;\r\n\u0026ADDR:0049   R5 = 0x00000004;\r\n\u0026ADDR:004A   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_66;\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 5 of 9\n\n\u0026ADDR:004B   LABEL_4B:\r\n\u0026ADDR:004C   IsProcessRunning(\"updatesrv.exe\", \"vsserv.exe\", \"pchooklaunch32.exe\", \"bdagent.exe\", \"seccenter.exe\"); //\r\nEnabled\r\n\u0026ADDR:004D   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:004E   IF True GOTO LABEL_5D;\r\n\u0026ADDR:004F   R0 = 0x00000100;\r\n\u0026ADDR:0050   R1 = 0x00000400;\r\n\u0026ADDR:0051   R2 = 0x00000000;\r\n\u0026ADDR:0052   R3 = 0x00000003;\r\n\u0026ADDR:0053   // TODO ID:7DD14382 DATA:b'00000000'\r\n\u0026ADDR:0054   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:0055   IF True GOTO LABEL_5D;\r\n\u0026ADDR:0056   R0 = \u0026FLAG;\r\n\u0026ADDR:0057   R1 = 0x00000004;\r\n\u0026ADDR:0058   R2 = 0x00000004;\r\n\u0026ADDR:0059   R3 = \u0026SP_04;\r\n\u0026ADDR:005A   R4 = 0x00000000;\r\n\u0026ADDR:005B   R5 = 0x00000004;\r\n\u0026ADDR:005C   IF \u0026R0[R1] == \u0026R3[R4] GOTO LABEL_63;\r\n\u0026ADDR:005D   LABEL_5D:\r\n\u0026ADDR:005E   GOTO LABEL_61;\r\n\u0026ADDR:005F   LABEL_5F:\r\n\u0026ADDR:0060   CALL PROC_69;\r\n\u0026ADDR:0061   LABEL_61:\r\n\u0026ADDR:0062   Exit(0); // Exit process\r\n\u0026ADDR:0063   LABEL_63:\r\n\u0026ADDR:0064   SignalEvent(); // pre-process termination\r\n\u0026ADDR:0065   Exit(0); // Exit process\r\n\u0026ADDR:0066   LABEL_66:\r\n\u0026ADDR:0067   SignalEvent(); // pre-process termination\r\n\u0026ADDR:0068   Exit(0); // Exit process\r\n\u0026ADDR:0069   PROC_69:\r\n\u0026ADDR:006A   IsProcessRunning(\"aswidsagenta.exe\", \"avastui.exe\", \"avastsvc.exe\"); // Enabled\r\n\u0026ADDR:006B   TEST \u0026SP_34 == \u0026SP_44;\r\n\u0026ADDR:006C   IF True GOTO LABEL_6F;\r\n\u0026ADDR:006D   InitData(start=\u0026ADDR:007A, end=\u0026ADDR:0081);\r\n\u0026ADDR:006E   RET;\r\n\u0026ADDR:006F   LABEL_6F:\r\n\u0026ADDR:0070   DebugMessage(\"no known av detected\"); // not processed in any way\r\n\u0026ADDR:0071   InitData(start=\u0026ADDR:007A, end=\u0026ADDR:0081);\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 6 of 9\n\n\u0026ADDR:0072   RET;\r\n\u0026ADDR:0073   LABEL_73:\r\n\u0026ADDR:0074   DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000,\r\n0x00000000, 0x000000C8, 0x00000064];\r\n\u0026ADDR:0075   DATA_97AC42CB = [0x00000000];\r\n\u0026ADDR:0076   DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000,\r\n\"*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome\r\n%!rndl_0_0_2_1_3%';$'#*';!'0;0;-\r\n%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*wi\r\n%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'\"];\r\n\u0026ADDR:0077   DATA_D3955141 = [0x00000001, 0x00000000, \"%!system32W6432%\\rundll32.exe; -\r\n%!rndl_0_0_2_1_3% %!rndl_0_0_2_3_8%.dll\"];\r\n\u0026ADDR:0078   LABEL_78:\r\n\u0026ADDR:0079   LABEL_79:\r\n\u0026ADDR:007A   DATA_DFE8715B = [0x00001F40, 0x00000001, 0x00000004, 0x00000001, 0x00001770, 0x00002000,\r\n0x00000000, 0x000000C8, 0x00000064];\r\n\u0026ADDR:007B   DATA_97AC42CB = [0x00000001];\r\n\u0026ADDR:007C   DATA_BB98FAB8 = [0x00000400];\r\n\u0026ADDR:007D   DATA_3FEF1B94 = [0x00000004];\r\n\u0026ADDR:007E   DATA_PAYLOAD_DROPPATH = \"%SystemRoot%#*\";\r\n\u0026ADDR:007F   DATA_PAYLOAD_DROPFILE = \"#!#*flashutil32#*;#!#*flashplayerpl#*;#!#*windowslivemail#*\";\r\n\u0026ADDR:0080   DATA_PROCLIST_EXCLUDE_EXT = [\"iexplore.exe\", \"firefox.exe\", \"chrome.exe\", \"winword.exe\",\r\n\"outlook.exe\", \"excel.exe\", \"powerpnt.exe\", \"iexplore.exe\", \"firefox.exe\", \"chrome.exe\", \"winword.exe\", \"outlook.exe\",\r\n\"excel.exe\", \"powerpnt.exe\", \"acrord32.exe\", \"java.exe\", \"javaw.exe\", \"regsvr32.exe\", \"wscript.exe\", \"cscript.exe\",\r\n\"powershell.exe\", \"mshta.exe\", \"certutil.exe\", \"sqlservr.exe\", \"opera.exe\", \"msaccess.exe\", \"sysprep.exe\", \"setupsqm.exe\",\r\n\"cliconfg.exe\", \"winsat.exe\", \"mmc.exe\", \"oobe.exe\", \"inetmgr.exe\", \"taskhost.exe\", \"inetmgr.exe\", \"dism.exe\",\r\n\"dismhost.exe\", \"taskeng.exe\", \"cmd.exe\", \"wscript.exe\", \"cscript.exe\", \"java.exe\", \"powershell.exe\", \"mshta.exe\",\r\n\"winlogon.exe\", \"services.exe\", \"svchost.exe\", \"spoolsv.exe\", \"explorer.exe\", \"explorer.exe\", \"cmd.exe\", \"rundll32.exe\",\r\n\"msiexec.exe\", \"mspaint.exe\", \"notepad.exe\", \"calc.exe\", \"taskhost.exe\", \"dwm.exe\", \"taskmgr.exe\", \"msnmsgr.exe\",\r\n0xF6FE5321, \"dllhost.exe\", \"runouce.exe\", \"vds.exe\", \"mstsc.exe\", \"mysqld.exe\", \"onenotem.exe\", \"dropbox.exe\",\r\n\"conhost.exe\", \"jusched.exe\", \"sihost.exe\", \"splwow64.exe\", \"msdt.exe\", \"onedrive.exe\", \"skype.exe\", \"solitaire.exe\",\r\n\"steam.exe\"];\r\n\u0026ADDR:0081   DATA_PAYLOAD_TARGET_ENUMERATOR = [0x00000000, 0x00000000,\r\n\"*'%ProgramFiles(x86)%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*instal#*;#!#*setup#*;#!#*config#*;#!#*iexplore.exe;#!#*chrome\r\n%!rndl_0_0_2_1_3%';$'#*';!'0;0;-\r\n%!rndl_0_0_2_1_3%';*'%ProgramW6432%;#!#*.exe';@'#!#*avast#*;#!#*defender#*;#!#*uninstall#*;#!#*install#*;#!#*setup#*;#!#*config#*';$'#!#*wi\r\n%!rndl_0_0_2_1_3%';$'#*';!'0;0;-%!rndl_0_0_2_1_3%'\"];\r\n\u0026ADDR:0082   LABEL_82:\r\n\u0026ADDR:0083   LABEL_83:\r\n\u0026ADDR:0084   DATA_8568A01D = [0x00000001, 0x00000001];\r\n\u0026ADDR:0085   DATA_14A8D56E = [0x00, 0x02, 0x00, 0x00, 0xD4, 0x30, 0x37, 0xBF, 0x80, 0x4B, 0x8F, 0xE0, 0xE5,\r\n0xCC, 0x27, 0xE7, 0x23, 0xCF, 0x53, 0x37, 0xB1, 0x46, 0xD8, 0x03, 0xCA, 0xEE, 0x29, 0x4B, 0x66, 0x8A, 0x9A, 0xCA,\r\n0x51, 0xA8, 0x95, 0x81, 0x28, 0x93, 0x01, 0xF9, 0x60, 0x7D, 0x9A, 0x6C, 0xB2, 0x93, 0x15, 0x2B, 0x44, 0xC0, 0x6F,\r\n0x6F, 0xB7, 0x1A, 0xC8, 0x12, 0x52, 0x1A, 0xC7, 0x28, 0x0A, 0x46, 0x0D, 0x2E, 0x84, 0x50, 0x9B, 0xFD, 0x00, 0x00,\r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,\r\n0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,\r\n0x00, 0x01];\r\n\u0026ADDR:0086   DATA_56B437D3 = [\"system\", \"lsass.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"services.exe\",\r\n\"lsm.exe\", \"audiodg.exe\", \"svchost.exe\", \"winlogon.exe\", \"spoolsv.exe\", \"searchindexer.exe\", \"msdtc.exe\",\r\n\"searchprotocolhost.exe\", \"dllhost.exe\"];\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 7 of 9\n\n\u0026ADDR:0087   DATA_DBED7DFB = [\"system\", \"lsass.exe\", \"smss.exe\", \"csrss.exe\", \"wininit.exe\", \"services.exe\",\r\n\"lsm.exe\", \"audiodg.exe\", \"svchost.exe\", \"winlogon.exe\", \"spoolsv.exe\", \"searchindexer.exe\", \"msdtc.exe\", \"explorer.exe\",\r\n\"dwm.exe\"];\r\n\u0026ADDR:0088   DATA_PROCLIST_EXCLUDE = [\"wininit.exe\", \"csrss.exe\", \"smss.exe\", \"avp.exe\", \"avpui.exe\",\r\n\"avgnt.exe\", \"avguard.exe\", \"sched.exe\", \"aswidsagenta.exe\", \"avastsvc.exe\", \"avastui.exe\", \"ccsvchst.exe\", \"avgcsrvx.exe\",\r\n\"avgnsx.exe\", \"avgrsx.exe\", \"avgtray.exe\", 0x6EEA1E2D, \"avgwdsvc.exe\", \"ekrn.exe\", \"egui.exe\", \"msmpeng.exe\",\r\n\"msseces.exe\", \"mpcmdrun.exe\", \"psimsvc.exe\", \"apvxdwin.exe\", \"avengine.exe\", \"pavfnsvr.exe\", \"pavprsrv.exe\",\r\n\"pavsrvx86.exe\", \"psctrls.exe\", \"psksvc.exe\", \"fpavserver.exe\", 0xBAA21E23, \"fpwin.exe\", \"cmdagent.exe\", \"cfp.exe\",\r\n\"gdscan.exe\", \"gdsc.exe\", \"avktray.exe\", \"avkservice.exe\", \"avkproxy.exe\", \"pctsgui.exe\", \"pctssvc.exe\", \"pctsauxs.exe\",\r\n\"update.exe\", \"updatesrv.exe\", \"vsserv.exe\", \"pchooklaunch32.exe\", \"bdagent.exe\", \"seccenter.exe\", \"mrt.exe\",\r\n\"mcupdate.exe\", \"mcagent.exe\", \"mcmscsvc.exe\", \"mcnasvc.exe\", \"mcproxy.exe\", \"mcsacore.exe\", \"mcshell.exe\",\r\n\"mcshield.exe\", \"mcsysmon.exe\", \"mpfsrv.exe\", \"msksrver.exe\", \"udaterui.exe\", \"engineserver.exe\",\r\n\"frameworkservice.exe\", \"engineserver.exe\", \"frameworkservice.exe\", \"mctray.exe\", \"naprdmgr.exe\", \"shstat.exe\",\r\n\"vstskmgr.exe\", \"almon.exe\", \"alsvc.exe\", \"savadminservice.exe\", 0x12FCC4EB, \"savservice.exe\", \"swi_service.exe\",\r\n0xBC6D3196, \"protoolbarupdate.exe\", \"sfctlcom.exe\", \"tmbmsrv.exe\", \"tmpfw.exe\", \"tmproxy.exe\",\r\n\"tscfplatformcomsvr.exe\", 0xAEF84E17, \"ufseagnt.exe\", 0x3DC44746, 0x13F2ED0D, 0x4B4EA20C, \"umxagent.exe\",\r\n\"umxcfg.exe\", \"umxpol.exe\", \"caav.exe\", \"casc.exe\", \"cavrid.exe\", \"ccprovsp.exe\", \"vetmsg.exe\", \"vmwaretray.exe\",\r\n\"vmwareuser.exe\", 0xBD157242, \"vmtoolsd.exe\", \"wrsa.exe\"];\r\n\u0026ADDR:0089   DATA_5DD00BF4 = [\"winlogon.exe\"];\r\n\u0026ADDR:008A   DATA_87045172 = [\"explorer.exe\", \"dwm.exe\", \"taskhost.exe\", \"conhost.exe\"];\r\n\u0026ADDR:008B   DATA_0B7EEE53 = [0x00000000];\r\n\u0026ADDR:008C   DATA_FFF28C72 = \"zepter.com;carfax.com;\";\r\n\u0026ADDR:008D   DATA_GOOGLE_DNS = [0x00000003, timeout_write=8000, timeout_read=8000, 0x00000001,\r\n0x00000002, \"8.8.8.8:53;8.8.4.4:53\"];\r\n\u0026ADDR:008E   DATA_992CC894 = [0x00000000, 0x00000001, 0x00000001, 0x00000002, 0x00000001, 0x00000001,\r\n0x00000000, 0x00000000, 0x00000000, 0x00000000, \"gx3Gd93kdXdjd]dGdg573\"];\r\n\u0026ADDR:008F   DATA_8DB1E244 = [0x00000001, 0x18482642, 0x78643587, 0x87568289, 0x00000010];\r\n\u0026ADDR:0090   DATA_C9393B40 = \"~[duewosgems.com];fiosbewos.com;\";\r\n\u0026ADDR:0091   DATA_F50DF89A = [0x00000019, 0x000493E0, 0x00000001, 0x00000001, \"~\r\n[duewosgems.com]/pkbn74is/index.php;fiosbewos.com/pkbn74is/index.php;\"];\r\n\u0026ADDR:0092   LABEL_92:\r\n\u0026ADDR:0093   END;\r\nConclusion\r\nNymaim is one of a number of downloaders appearing regularly in the wild, reflecting the trend of installing persistent\r\nmalware on victim devices. Although Nymaim has a long history as a downloader and earlier incarnations as ransomware\r\nand a desktop locker, little is known about its ownership or availability to other threat actors. We were, however, able to\r\ndecode the unique config, providing additional insight for defenders and potential victims of increasingly frequent Nymaim\r\ncampaigns.\r\nReferences\r\n[1] https://www.welivesecurity.com/2013/08/26/nymaim-obfuscation-chronicles/\r\n[2] https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0\r\n[3] https://www.welivesecurity.com/2013/10/23/nymaim-browsing-for-trouble/\r\n[4] http://www.eset.com/int/about/press/articles/article/nymaim-ransomware-still-active-finding-new-infection-vector-to-spread-black-hat-seo/\r\n[5] https://www.microsoft.com/security/portal/threat/Encyclopedia/Entry.aspx?Name=Ransom:Win32/Nymaim.F#tab=2\r\n[6] https://github.com/EmergingThreats/threatresearch/blob/master/Nymaim/config_decompiler.py\r\nIndicators of Compromise (IOCs)\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 8 of 9\n\nIOC IOC Type Description\r\n76b855f4822c0b26e098d7395723b31ad73c1606aebdb972380ef6c9f0bb4936 SHA256 Nymaim sample (2019)\r\n8cb27fca6cf68888126a82c304083ebd78bba2b9f6fb241d2a177a3a80f12e8a SHA256 Nymaim sample (2019)\r\n0f115ff9d7ecbe2b4872a18c14e97d6071a61435690729c9aa741cecc8982383 SHA256 Nymaim sample (2019)\r\n7541c32d82b17e9d3a993f6721a1b84221dfbee6cbe7f060413a118c48ae64ee SHA256 Nymaim sample (2019)\r\n43c19be78773a14196abb4ecb6436b54729373eacf84da7a9a2c3592ad960cae SHA256 Nymaim sample (2019)\r\nSource: https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nhttps://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded"
	],
	"report_names": [
		"nymaim-config-decoded"
	],
	"threat_actors": [],
	"ts_created_at": 1775434208,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b09e5b182798f44c98ea4251bcbe74136ca610d4.pdf",
		"text": "https://archive.orkl.eu/b09e5b182798f44c98ea4251bcbe74136ca610d4.txt",
		"img": "https://archive.orkl.eu/b09e5b182798f44c98ea4251bcbe74136ca610d4.jpg"
	}
}