{"id":25597,"date":"2022-02-04T12:44:00","date_gmt":"2022-02-04T11:44:00","guid":{"rendered":"https:\/\/www.secuinfra.com\/?p=25597"},"modified":"2022-05-17T12:10:08","modified_gmt":"2022-05-17T10:10:08","slug":"n-w0rm-analysis-part-2","status":"publish","type":"post","link":"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/","title":{"rendered":"N-W0rm analysis (Part 2)"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_83 counter-flat ez-toc-counter ez-toc-white ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">[inhalt_uebersetzt]<\/p>\n<span class=\"ez-toc-title-toggle\"><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/#Entry_Point\" >Entry Point<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/#Information_Gathering\" >Information Gathering<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/#Modules\" >Modules<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/#IOC\" >IOC<\/a><\/li><li class='ez-toc-page-1'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-2\/#Series_overview\" >Series overview<\/a><\/li><\/ul><\/nav><\/div>\n<p>Before we analyze this RAT in-depth, we will show an overview of its behavior as a diagram. This can help to understand its inner working at a more high-level view:<\/p>\n<p><img fetchpriority=\"high\" decoding=\"async\" class=\"aligncenter wp-image-25598 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_1.png\" alt=\"\" width=\"1300\" height=\"2564\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1.png 1300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-152x300.png 152w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-519x1024.png 519w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-768x1515.png 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-779x1536.png 779w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-1038x2048.png 1038w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-12x24.png 12w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-18x36.png 18w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_1-24x48.png 24w\" sizes=\"(max-width: 1300px) 100vw, 1300px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>To analyze this sample, we will open it with dnSpy to decompile and possibly debug it.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Entry_Point\"><\/span><strong>Entry Point<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>We will first begin at the entry point of this RAT and analyze its executed code before we jump into all possible modules this RAT possesses. To jump to the entry point we can right-click on the class menu on the left and select <strong>Go to Entry Point:<\/strong><\/p>\n<figure id=\"attachment_25599\" aria-describedby=\"caption-attachment-25599\" style=\"width: 713px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-25599 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_2.png\" alt=\"\" width=\"713\" height=\"550\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_2.png 713w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_2-300x231.png 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_2-24x19.png 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_2-36x28.png 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_2-48x37.png 48w\" sizes=\"(max-width: 713px) 100vw, 713px\" \/><figcaption id=\"caption-attachment-25599\" class=\"wp-caption-text\">Figure 1: How to get to the Entry Point<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>Doing so will lead us to the first called function called <strong>uLnqUtvIwAOVXLU<\/strong>. To make things more understandable we have pasted it below. It starts by sleeping for 2 seconds before calling <strong>hlIinikmNYFRC.gwgzcfkYmyQKIgW()<\/strong>. If this function returns <strong>False<\/strong>, then the RAT exists, which means that this function is probably going to do some environment checks. Let\u2019s start by examining what the RAT is checking.<\/p>\n<figure id=\"attachment_25600\" aria-describedby=\"caption-attachment-25600\" style=\"width: 721px\" class=\"wp-caption aligncenter\"><img decoding=\"async\" class=\"wp-image-25600 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_3.jpeg\" alt=\"\" width=\"721\" height=\"393\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_3.jpeg 721w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_3-300x164.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_3-24x13.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_3-36x20.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_3-48x26.jpeg 48w\" sizes=\"(max-width: 721px) 100vw, 721px\" \/><figcaption id=\"caption-attachment-25600\" class=\"wp-caption-text\">Figure 2: Entry Point<\/figcaption><\/figure>\n<h3><strong>hlIinikmNYFRC.gwgzcfkYmyQKIgW()<\/strong><\/h3>\n<p>The content of the function can be seen below. The RAT is trying to create a new Mutex. The name of the Mutex can be found in the variable <strong>hlIinikmNYFRC.HREdkIUrRAzFBOcfZ<\/strong> and is <strong>2e3fb6d0<\/strong>. This makes a great IOC.<\/p>\n<figure id=\"attachment_25601\" aria-describedby=\"caption-attachment-25601\" style=\"width: 922px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25601 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_4.jpeg\" alt=\"\" width=\"922\" height=\"141\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4.jpeg 922w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4-300x46.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4-768x117.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4-24x4.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4-36x6.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_4-48x7.jpeg 48w\" sizes=\"(max-width: 922px) 100vw, 922px\" \/><figcaption id=\"caption-attachment-25601\" class=\"wp-caption-text\">Figure 3: Mutex Creation<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<p>If the Mutex is already created, the result will be False, but if the Creation of The Mutex is successful, the result will be True. In conclusion the entry point is checking if the Mutex already exists, i.e. if the system was already infected with this RAT.<\/p>\n<h3><strong>hlIinikmNYFRC.ATCCkfeyJnyt()<\/strong><\/h3>\n<p>If the Mutex check is passed, the RAT will call <strong>hlIinikmNYFRC.ATCCkfeyJnyt()<\/strong> and pass an enum. This is just a wrapper to call <strong>SetThreadExecutionState<\/strong>. According to the <a  href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/win32\/api\/winbase\/nf-winbase-setthreadexecutionstate\"  dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >Microsoft docs<\/a> this function is doing the following:<\/p>\n<p><em>\u201cEnables an application to inform the system that it is in use, thereby preventing the system from entering sleep or turning off the display while the application is running.\u201d <\/em><\/p>\n<p>Lastly, the entry point starts a new thread and passes control to <strong>hlIinikmNYFRC.fqLxpecOTiCgE <\/strong><\/p>\n<h3><strong>hlIinikmNYFRC.fqLxpecOTiCgE<\/strong><\/h3>\n<p>This function starts with an infinite loop and is basically responsible for getting the commands and interpreting them. If the connection is not setup or is disconnected it will be reset. Here we also learn the C2 address used by this RAT:<\/p>\n<ul>\n<li>nyanmoney02[.]duckdns.org<\/li>\n<\/ul>\n<p>At this point, there is an interesting observation. If the connection to the C2 fails, a secondary C2 address will be used. However, this fallback address is the same as the primary one. So, either the author of the malware forgot to change the failback address or this version of the RAT is just some alpha\/beta version.<\/p>\n<p>We will not analyze the socket handling in-depth here but instead take a further look at all the information the RAT sends to its operator and the function that handles the received commands.<\/p>\n<h2><span class=\"ez-toc-section\" id=\"Information_Gathering\"><\/span><strong>Information Gathering<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>If the RAT is creating a new connection or reconnecting it sends some general information about the host to its C2. We will not go through each function line by line but rather summarize what information is collected and sent back:<\/p>\n<ul>\n<li>User Domain Name<\/li>\n<li>Username<\/li>\n<li>Processor count<\/li>\n<li>OS full name<\/li>\n<li>Is user admin?<\/li>\n<li>Version of the RAT (the analyzed RAT has the version v0.3.8)<\/li>\n<li>List of installed antivirus products using a WMI query<\/li>\n<li>Last write time of RAT on disk<\/li>\n<li>Path of the RAT on disk<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Modules\"><\/span><strong>Modules<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Before we explain all available modules, we will first look at the preprocessing of the received data.<\/p>\n<figure id=\"attachment_25602\" aria-describedby=\"caption-attachment-25602\" style=\"width: 763px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25602 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_5.jpeg\" alt=\"\" width=\"763\" height=\"120\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_5.jpeg 763w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_5-300x47.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_5-24x4.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_5-36x6.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_5-48x8.jpeg 48w\" sizes=\"(max-width: 763px) 100vw, 763px\" \/><figcaption id=\"caption-attachment-25602\" class=\"wp-caption-text\">Figure 4: Preprocessing of received Data<\/figcaption><\/figure>\n<p>Before any module is executed, a further function is called, and the input is split. The function <strong>GYZswDqNcBskynCV() <\/strong>is responsible for sending the string \u201creceived\u201d to its C2 and to sleep for 1 second. Next, we split the input by a hardcoded delimiter that is <strong>&#8220;|NW|\u201d<\/strong>. The first value in this list is the key or rather the module that should be run. All further data will be used as parameters for the chosen module. We will now explain all modules in-depth.<\/p>\n<p><strong>runFile<\/strong><\/p>\n<figure id=\"attachment_25603\" aria-describedby=\"caption-attachment-25603\" style=\"width: 922px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25603 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_6.jpeg\" alt=\"\" width=\"922\" height=\"666\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6.jpeg 922w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6-300x217.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6-768x555.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6-24x17.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6-36x26.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_6-48x35.jpeg 48w\" sizes=\"(max-width: 922px) 100vw, 922px\" \/><figcaption id=\"caption-attachment-25603\" class=\"wp-caption-text\">Figure 5: Module runFile<\/figcaption><\/figure>\n<p>This module is further divided into multiple options. The RAT can execute binaries directly in-memory or first write the data to disk and execute it from there. If the passed file was a PowerShell script, the typical arguments are used. Lastly, if <em>array[3<\/em>] is true, then the RAT will delete itself.<\/p>\n<p><strong>runUrl<\/strong><\/p>\n<p>This module is pretty similar to the previous one, except that the operator passes an URL, and the RAT downloads the file itself and executes it.<\/p>\n<p><strong>plugin<\/strong><\/p>\n<p>Here the operator can load further plugins into this .NET binary and hence extend the functionality.<\/p>\n<p><strong>close<\/strong><\/p>\n<p>This module does what the name suggests. It closes the Mutex and the TcpClient and then exits.<\/p>\n<p><strong>restart<\/strong><\/p>\n<p>Calling this module also first closes the Mutex and TcpClient and then creates a batch file in the %temp% directory.<\/p>\n<figure id=\"attachment_25604\" aria-describedby=\"caption-attachment-25604\" style=\"width: 242px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25604 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_7.jpeg\" alt=\"\" width=\"242\" height=\"99\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_7.jpeg 242w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_7-24x10.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_7-36x15.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_7-48x20.jpeg 48w\" sizes=\"(max-width: 242px) 100vw, 242px\" \/><figcaption id=\"caption-attachment-25604\" class=\"wp-caption-text\">Figure 6: Temp Batch Script<\/figcaption><\/figure>\n<p>After the batch file has been started the program kills itself.<\/p>\n<p><strong>del<\/strong><\/p>\n<p>This module deletes the RAT and closes the Mutex and TcpClient.<\/p>\n<p><strong>ps1<\/strong><\/p>\n<p>Executes the provided ps1 File.<\/p>\n<p><strong>url<\/strong><\/p>\n<p>Here the content of a passed URL is downloaded. However, it appears nothing happens if the request was successful.<\/p>\n<figure id=\"attachment_25605\" aria-describedby=\"caption-attachment-25605\" style=\"width: 1422px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25605 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_8.jpeg\" alt=\"\" width=\"1422\" height=\"330\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8.jpeg 1422w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-300x70.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-1024x238.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-768x178.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-24x6.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-36x8.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_8-48x11.jpeg 48w\" sizes=\"(max-width: 1422px) 100vw, 1422px\" \/><figcaption id=\"caption-attachment-25605\" class=\"wp-caption-text\">Figure 7: Module url (decompiled with DnSpy)<\/figcaption><\/figure>\n<p>To verify that this is not just some bugged decompilation, I checked my results with ILSpy. The result is more or less the same. Either this method is not finished or it is just used to verify that there is a connection (maybe for sandbox testing?).<\/p>\n<figure id=\"attachment_25606\" aria-describedby=\"caption-attachment-25606\" style=\"width: 1422px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25606 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_9.jpeg\" alt=\"\" width=\"1422\" height=\"309\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9.jpeg 1422w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-300x65.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-1024x223.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-768x167.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-24x5.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-36x8.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_9-48x10.jpeg 48w\" sizes=\"(max-width: 1422px) 100vw, 1422px\" \/><figcaption id=\"caption-attachment-25606\" class=\"wp-caption-text\">Figure 8: Module url (decompiled with ILSpy)<\/figcaption><\/figure>\n<p><strong>killer<\/strong><\/p>\n<p>This function does what it says, it kills a lot of stuff.<\/p>\n<p>First, it iterates over all processes and applies some checks to the name of the process. If the FileName attribute of the process satisfies one of the below checks and the window of the process is not visible, then the next block is entered:<\/p>\n<ul>\n<li>the path contains \u201cwscript.exe\u201d<\/li>\n<li>the path contains the User Profile Path (i.e. C:\\Users\\&lt;USER&gt;)<\/li>\n<li>the path contains the Common Application Data Path (i.e. C:\\ProgramData).<\/li>\n<\/ul>\n<p>Now, if these checks are true, then the process is killed, the program is deleted and the program is removed from the Run and RunOnce registry key located at the following paths:<\/p>\n<ul>\n<li>Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run<\/li>\n<li>Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\RunOnce<\/li>\n<\/ul>\n<p>After the iteration through all processes, the RAT sends the number of killed processes to its C2.<\/p>\n<figure id=\"attachment_25607\" aria-describedby=\"caption-attachment-25607\" style=\"width: 1241px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-25607 size-full\" src=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/nw0rm_pt2_10.jpeg\" alt=\"\" width=\"1241\" height=\"561\" srcset=\"https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10.jpeg 1241w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-300x136.jpeg 300w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-1024x463.jpeg 1024w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-768x347.jpeg 768w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-24x11.jpeg 24w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-36x16.jpeg 36w, https:\/\/testing.secuinfra.com\/wp-content\/uploads\/\/nw0rm_pt2_10-48x22.jpeg 48w\" sizes=\"(max-width: 1241px) 100vw, 1241px\" \/><figcaption id=\"caption-attachment-25607\" class=\"wp-caption-text\">Figure 9: Module killer<\/figcaption><\/figure>\n<p>&nbsp;<\/p>\n<h2><span class=\"ez-toc-section\" id=\"IOC\"><\/span><strong>IOC <\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><strong>Memory<\/strong><\/p>\n<p>Mutex: 2e3fb6d0<\/p>\n<p><strong>Network <\/strong><\/p>\n<p>nyanmoney02[.]duckdns.org<\/p>\n<p>Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/76.0.3809.100 Safari\/537.36<\/p>\n<p>Port: 9031<\/p>\n<p><strong>Yara <\/strong><\/p>\n<p>You can find a complete Yara rule here -&gt; <a  href=\"https:\/\/github.com\/SIFalcon\/Detection\/blob\/main\/Yara\/RAT\/n-w0rm.yar\"  target=\"_blank\" rel=\"noopener\" dpc-external=\"true\"  target=\"_blank\"  rel=\"nofollow\" >SECUINFRA Falcon Team Git<\/a><\/p>\n<div class=\"fazit\"><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Series_overview\"><\/span>Series overview<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/testing.secuinfra.com\/en\/techtalk\/n-w0rm-analysis-part-1\/\">N-W0rm analysis Part 1<\/a><\/p>\n<p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>We will first begin at the entry point of this RAT and analyze its executed code before we jump into all possible modules this RAT possesses.<\/p>\n","protected":false},"author":6,"featured_media":27266,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[85,86,81],"tags":[],"dpc_coauthors":[],"class_list":["post-25597","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-digital-forensics","category-incident-response","category-techtalk"],"acf":[],"_links":{"self":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/25597","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/comments?post=25597"}],"version-history":[{"count":0,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/posts\/25597\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media\/27266"}],"wp:attachment":[{"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/media?parent=25597"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/categories?post=25597"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/tags?post=25597"},{"taxonomy":"dpc_coauthors","embeddable":true,"href":"https:\/\/testing.secuinfra.com\/en\/wp-json\/wp\/v2\/dpc_coauthors?post=25597"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}