Overview
overview
7Static
static
3GANG-Nuker.zip
windows7-x64
1GANG-Nuker.zip
windows10-2004-x64
1GANG-Nuker/GANG.exe
windows7-x64
7GANG-Nuker/GANG.exe
windows10-2004-x64
7GANG.pyc
windows7-x64
3GANG.pyc
windows10-2004-x64
3GANG-Nuker...nt.txt
windows7-x64
1GANG-Nuker...nt.txt
windows10-2004-x64
1GANG-Nuker...NG.png
windows7-x64
3GANG-Nuker...NG.png
windows10-2004-x64
3GANG-Nuker...ker.py
windows7-x64
3GANG-Nuker...ker.py
windows10-2004-x64
3GANG-Nuker...gin.py
windows7-x64
3GANG-Nuker...gin.py
windows10-2004-x64
3GANG-Nuker...ter.py
windows7-x64
3GANG-Nuker...ter.py
windows10-2004-x64
3GANG-Nuker...ber.py
windows7-x64
3GANG-Nuker...ber.py
windows10-2004-x64
3GANG-Nuker...kup.py
windows7-x64
3GANG-Nuker...kup.py
windows10-2004-x64
3GANG-Nuker...nfo.py
windows7-x64
3GANG-Nuker...nfo.py
windows10-2004-x64
3GANG-Nuker...ore.py
windows7-x64
3GANG-Nuker...ore.py
windows10-2004-x64
3GANG-Nuker...mon.py
windows7-x64
3GANG-Nuker...mon.py
windows10-2004-x64
3GANG-Nuker...rys.py
windows7-x64
3GANG-Nuker...rys.py
windows10-2004-x64
3GANG-Nuker...ate.py
windows7-x64
3GANG-Nuker...ate.py
windows10-2004-x64
3GANG-Nuker...ersion
windows7-x64
1GANG-Nuker...ersion
windows10-2004-x64
1Analysis
-
max time kernel
1561s -
max time network
1565s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
28-05-2024 14:48
Behavioral task
behavioral1
Sample
GANG-Nuker.zip
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
GANG-Nuker.zip
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
GANG-Nuker/GANG.exe
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
GANG-Nuker/GANG.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
GANG.pyc
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
GANG.pyc
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
GANG-Nuker/data/useragent.txt
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
GANG-Nuker/data/useragent.txt
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
GANG-Nuker/utilities/Avatars/GANG.png
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
GANG-Nuker/utilities/Avatars/GANG.png
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
GANG-Nuker/utilities/Plugins/Account_Nuker.py
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
GANG-Nuker/utilities/Plugins/Account_Nuker.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
GANG-Nuker/utilities/Plugins/Auto_Login.py
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
GANG-Nuker/utilities/Plugins/Auto_Login.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
GANG-Nuker/utilities/Plugins/DM_Deleter.py
Resource
win7-20231129-en
Behavioral task
behavioral16
Sample
GANG-Nuker/utilities/Plugins/DM_Deleter.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
GANG-Nuker/utilities/Plugins/QR_Grabber.py
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
GANG-Nuker/utilities/Plugins/QR_Grabber.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
GANG-Nuker/utilities/Plugins/Server_Lookup.py
Resource
win7-20240508-en
Behavioral task
behavioral20
Sample
GANG-Nuker/utilities/Plugins/Server_Lookup.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
GANG-Nuker/utilities/Plugins/Token_Info.py
Resource
win7-20240220-en
Behavioral task
behavioral22
Sample
GANG-Nuker/utilities/Plugins/Token_Info.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
GANG-Nuker/utilities/Plugins/ignore/ignore.py
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
GANG-Nuker/utilities/Plugins/ignore/ignore.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
GANG-Nuker/utilities/Settings/common.py
Resource
win7-20240508-en
Behavioral task
behavioral26
Sample
GANG-Nuker/utilities/Settings/common.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral27
Sample
GANG-Nuker/utilities/Settings/libarys.py
Resource
win7-20240221-en
Behavioral task
behavioral28
Sample
GANG-Nuker/utilities/Settings/libarys.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral29
Sample
GANG-Nuker/utilities/Settings/update.py
Resource
win7-20231129-en
Behavioral task
behavioral30
Sample
GANG-Nuker/utilities/Settings/update.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral31
Sample
GANG-Nuker/utilities/Settings/version
Resource
win7-20240220-en
Behavioral task
behavioral32
Sample
GANG-Nuker/utilities/Settings/version
Resource
win10v2004-20240426-en
General
-
Target
GANG-Nuker/utilities/Settings/update.py
-
Size
5KB
-
MD5
4bf2fc54a6ae687c63d7fbe7af60c08e
-
SHA1
25cd8319ded225a40b633156b70f0849ab44b43d
-
SHA256
4272ea902df70571c3d862a50258604b65907fa68fed8b5b607b204763759774
-
SHA512
23d188285954c5f222be7d850c3b9d86b8bf47848f3d89f79ef89ab33cafa739d6cf1d5156dbfb4a8a979c45425abc8a24dd5b1f91dc128b53fa164e64b97e18
-
SSDEEP
48:gih832plNYwHFYhYAzX1Ra7VThRDkib1XKm+tiNr7Q+bn81+fPly:O32pDxHF+YGXjQV/+ohhy
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2820 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2820 AcroRd32.exe 2820 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2512 wrote to memory of 2240 2512 cmd.exe rundll32.exe PID 2512 wrote to memory of 2240 2512 cmd.exe rundll32.exe PID 2512 wrote to memory of 2240 2512 cmd.exe rundll32.exe PID 2240 wrote to memory of 2820 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2820 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2820 2240 rundll32.exe AcroRd32.exe PID 2240 wrote to memory of 2820 2240 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\GANG-Nuker\utilities\Settings\update.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5f35d7ceedf4a627c6039794181a4765b
SHA1677558d84614007dbd4c63b63c20443f20b25a5e
SHA2565e6d68592201908b20f6b64f4ca290fe91a0d3a67fbae4d3507f816f8734d335
SHA51262f6dfa0503bf29ab3aab457c633e84eeceeff72240c78d12c33c8edb616a6bb80efb6478f1a7f3578b082dbf2a958f434bb6d8c1fce4d53c9c48bdc07f29d05