{"id":10316,"date":"2024-12-11T10:31:03","date_gmt":"2024-12-11T10:31:03","guid":{"rendered":"\/cybersecurity-blog\/?p=10316"},"modified":"2024-12-11T10:31:04","modified_gmt":"2024-12-11T10:31:04","slug":"nova-keylogger-malware-analysis","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/","title":{"rendered":"Analysis of Nova: A Snake Keylogger Fork"},"content":{"rendered":"\n<p><em>Editor\u2019s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on&nbsp;<\/em><a href=\"https:\/\/x.com\/M4lcode\" target=\"_blank\" rel=\"noreferrer noopener\"><em>X<\/em><\/a><em>&nbsp;and&nbsp;<\/em><a href=\"https:\/\/www.linkedin.com\/in\/m4lcode\" target=\"_blank\" rel=\"noreferrer noopener\"><em>LinkedIn<\/em><\/a><em>.<\/em>&nbsp;<\/p>\n\n\n\n<p>In this malware analysis report, we will delve into Nova, a newly discovered fork of the Snake Keylogger family. This variant has been observed employing even more sophisticated tactics, signaling the continued adaptation and persistence of the Snake malware family in the cybersecurity landscape.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Overview of Snake Keylogger<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Snake Keylogger, a .NET-based malware first identified in November 2020, is infamous for its credential-stealing and keylogging capabilities.<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/reverse-engineering-snake-keylogger\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read in-depth analysis of Snake Keylogger<\/a><\/p>\n\n\n\n<p>It primarily spreads through phishing and <a href=\"https:\/\/any.run\/cybersecurity-blog\/spearphishing-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">spearphishing<\/a> campaigns, where malicious Office documents or PDFs are used to deliver downloader <a href=\"https:\/\/any.run\/cybersecurity-blog\/powershell-script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\">scripts via PowerShell<\/a>. Once executed, Snake Keylogger captures keystrokes, steals saved credentials, takes screenshots, and extracts clipboard data.&nbsp;<\/p>\n\n\n\n<p>As of 2024, Snake Keylogger has continued to evolve, adopting advanced evasion techniques such as process hollowing and heavily obfuscated code to avoid detection.&nbsp;&nbsp;<\/p>\n\n\n\n<p>This variant uses a suspended child process to inject its payload, which makes it more difficult for security software to identify and neutralize. Furthermore, reports indicate that Snake Keylogger has grown more prevalent, with significant spikes in zero-day detections, suggesting its ongoing threat to both personal and corporate cybersecurity.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Technical Analysis Using ANY.RUN Sandbox<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s run a sandbox analysis session using <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=nova_malware_analysis&amp;utm_term=111224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN&#8217;s Interactive Sandbox<\/a> to discover the technical details of this malware.&nbsp;&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/e017ef2f-7154-49f5-8fd3-c2a08650162b\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=nova_malware_analysis&amp;utm_term=111224&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View analysis session<\/a>&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"596\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-1024x596.png\" alt=\"\" class=\"wp-image-10317\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-1024x596.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-300x175.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-768x447.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-1536x894.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-370x215.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-270x157.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21-740x431.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image21.png 1580w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Process graph generated by ANY.RUN sandbox for the behavior of NOVA<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In the HTTP Requests tab, we can see that Nova sends HTTP Requests to <strong>hxxp[:\/\/]checkip[.]dyndns[.]org\/<\/strong> to get the IP of the victim device:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"250\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1024x250.png\" alt=\"\" class=\"wp-image-10319\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1024x250.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-300x73.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-768x188.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-370x90.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-270x66.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-740x181.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22.png 1289w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>HTTP requests to victim devices<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In DNS requests tab, Nova makes DNS requests to <strong>reallyfreegeoip[.]org<\/strong> to get the country name of the victim device:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"256\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-1024x256.png\" alt=\"\" class=\"wp-image-10320\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-1024x256.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-300x75.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-768x192.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-370x92.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-270x67.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23-740x185.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image23.png 1246w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>DNS requests by Nova to get the country name of the victim device<\/em><\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware and phishing <br>with ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=nova_malware_analysis&#038;utm_term=111224&#038;utm_content=linktoregistration#register\" rel=\"noopener\" target=\"_blank\">\nSign up free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\"><strong>Unpacking<\/strong>&nbsp;<\/h2>\n\n\n\n<p><strong>Nova <\/strong>keylogger uses a protector written in AutoIt. There are several ways to unpack it:&nbsp;<\/p>\n\n\n\n<p>1. Decompiling the executable to AutoIt script (.au3)&nbsp;<\/p>\n\n\n\n<p>2. Executing the sample and letting it unpack itself in the memory, then dumping the process. This can be done with the help of the following tools:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sandbox&nbsp;<\/li>\n\n\n\n<li>Unpacme<\/li>\n\n\n\n<li>Pe-sieve&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/packers-and-crypters-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">Learn to unpack malware<\/a><\/p>\n\n\n\n<p>According to Unpacme, the unpacked sample is obfuscated using the Net Reactor Obfuscator:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"238\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1024x238.png\" alt=\"\" class=\"wp-image-10321\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1024x238.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-300x70.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-768x178.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-370x86.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-270x63.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-740x172.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24.png 1163w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>.NET Reactor used for obfuscation<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Exeinfo also confirms this:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"551\" height=\"264\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image25.png\" alt=\"\" class=\"wp-image-10322\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image25.png 551w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image25-300x144.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image25-370x177.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image25-270x129.png 270w\" sizes=\"(max-width: 551px) 100vw, 551px\" \/><figcaption class=\"wp-element-caption\"><em>Exeinfo confirming the use of .NET Reactor for obfuscation<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The presence of numerous empty functions strongly suggests obfuscation, which aligns with the tools&#8217; analysis.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"439\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-1024x439.png\" alt=\"\" class=\"wp-image-10323\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-1024x439.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-300x129.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-768x329.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-370x159.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-270x116.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26-740x317.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image26.png 1168w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Presence of empty functions<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>To address this, we can use NETReactorSlayer for deobfuscation.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"611\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1024x611.png\" alt=\"\" class=\"wp-image-10325\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1024x611.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-300x179.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-768x458.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-370x221.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-270x161.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-740x442.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27.png 1054w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>NET Reactor Slayer used for deobfuscation<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>NETReactorSlayer performed exceptionally well in this task, successfully deobfuscating the sample.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"554\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-1024x554.png\" alt=\"\" class=\"wp-image-10326\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-1024x554.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-300x162.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-768x416.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-370x200.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-270x146.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28-740x400.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image28.png 1327w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Performance of NETReactorSlayer<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Deep Analysis<\/strong>&nbsp;<\/h2>\n\n\n\n<p><strong>Nova<\/strong> is capable of extracting sensitive data from a wide range of sources, including: <\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Browsers<\/strong>: Chrome, Brave, Opera, Firefox, Edge, etc.<\/li>\n\n\n\n<li><strong>Emaial Clients<\/strong>: Outlook, Foxmail, Thunderbird.<\/li>\n\n\n\n<li><strong>FTP Clients<\/strong>: Filezilla.<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"600\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-1024x600.png\" alt=\"\" class=\"wp-image-10328\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-1024x600.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-768x450.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-270x158.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29-740x433.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image29.png 1400w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The list of browsers that the malware can exfiltrate data from<\/em> <\/figcaption><\/figure><\/div>\n\n\n<p>It can also retrieve and decode the Windows product key.<\/p>\n\n\n\n<p>Let&#8217;s take a closer look at these functionalities to understand their implications and the depth of Nova&#8217;s capabilities.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Extracting and Decrypting Outlook Passwords&nbsp;\u2116<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"618\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-1024x618.png\" alt=\"\" class=\"wp-image-10330\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-1024x618.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-300x181.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-768x464.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-370x223.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-270x163.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a-740x447.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2a.png 1378w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The process of password decryption<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Nova performs the following steps to extract and decrypt Outlook passwords:&nbsp;<\/p>\n\n\n\n<p><strong>1. Initialization<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Creates a list to store recovered account details.&nbsp;<\/li>\n\n\n\n<li>Prepares an array of strings representing the password types to search for in the Windows registry.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>2. Accessing registry keys&nbsp;<\/strong><\/p>\n\n\n\n<p>Nova opens the following registry keys, which are known to store Outlook profile information:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Software\\\\Microsoft\\\\Office\\\\15.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676&nbsp;<\/li>\n\n\n\n<li>Software\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Windows Messaging Subsystem\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676&nbsp;<\/li>\n\n\n\n<li>Software\\\\Microsoft\\\\Windows Messaging Subsystem\\\\Profiles\\\\9375CFF0413111d3B88A00104B2A6676&nbsp;<\/li>\n\n\n\n<li>Software\\\\Microsoft\\\\Office\\\\16.0\\\\Outlook\\\\Profiles\\\\Outlook\\\\9375CFF0413111d3B88A00104B2A6676&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>3. Iterating through registry keys and subkeys&nbsp;<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Nova scans the registry keys and their subkeys, checking for entries containing email or password data.&nbsp;<\/li>\n\n\n\n<li>If such entries are found, Nova attempts to decrypt the password using the decryptOutlookPassword method.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><strong>4. Decrypting passwords&nbsp;<\/strong><\/p>\n\n\n\n<p>The decryptOutlookPassword method performs the following actions:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Takes the encrypted Outlook password as a byte array.&nbsp;<\/li>\n\n\n\n<li>Removes the first byte from the array.&nbsp;<\/li>\n\n\n\n<li>Decrypts the remaining data and converts it to a readable string.&nbsp;<\/li>\n\n\n\n<li>Strips any null characters from the resulting string before returning it.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"175\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-1024x175.png\" alt=\"\" class=\"wp-image-10333\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-1024x175.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-300x51.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-768x131.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-370x63.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-270x46.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b-740x126.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2b.png 1048w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Striping null characters<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>5. Retrieving account details<\/strong>&nbsp;<\/p>\n\n\n\n<p>It retrieves the email value and converts it to a byte array using <strong>GetBytes.<\/strong>&nbsp;<\/p>\n\n\n\n<p>Then, it retrieves the SMTP server value, if available and adds the recovered account details to the list.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"532\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-1024x532.png\" alt=\"\" class=\"wp-image-10335\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-1024x532.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-300x156.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-768x399.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-370x192.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-270x140.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c-740x384.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2c.png 1279w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Account details retrieval<\/em><\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Extracting and Decrypting Browser Login Information&nbsp;<\/h3>\n\n\n\n<p>Various functions exist for extracting browser login credentials. For this analysis, we will focus on <strong>Chrome_Speed<\/strong>, which targets Google Chrome&#8217;s saved login data.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"593\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-1024x593.png\" alt=\"\" class=\"wp-image-10337\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-1024x593.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-300x174.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-768x445.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-370x214.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-270x156.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d-740x429.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2d.png 1367w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The process of extracting browser login credentials<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>1. Locating the Login Data file<\/strong>&nbsp;<\/p>\n\n\n\n<p><strong>Chrome_Speed <\/strong>constructs the path to the Login Data SQLite file, where Chrome stores saved login credentials. Then verifies the existence of the Login Data file before proceeding.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"110\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-1024x110.png\" alt=\"\" class=\"wp-image-10338\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-1024x110.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-300x32.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-768x83.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-370x40.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-270x29.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e-740x80.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2e.png 1367w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>2. Retrieving Login entries<\/strong>&nbsp;<\/p>\n\n\n\n<p>It loops through each login entry, retrieving the origin_url, username_value, and password_value.&nbsp;<\/p>\n\n\n\n<p><strong>3. Decrypting passwords<\/strong>&nbsp;<\/p>\n\n\n\n<p>If passwords are stored in <strong>Version 10 format<\/strong>, it uses the <strong>master key<\/strong> for decryption. For older formats, an alternative decryption method, <strong>Decrypttttt<\/strong>, is employed.&nbsp;<\/p>\n\n\n\n<!-- CTA Split START -->\n<div class=\"cta-split\">\n<div class=\"cta__split-left\">\n\n<!-- Image -->\n<img decoding=\"async\" loading=\"lazy\" src=\"https:\/\/mcusercontent.com\/663b94f19348582a8dc323efe\/images\/0d88188b-3e89-2314-5a60-cb87e8077326.png\" alt=\"Learn to analyze malware in a sandbox\" class=\"cta__split-icon\" \/>\n<\/div>\n\n<div class=\"cta__split-right\">\n<div>\n\n<!-- Heading -->\n<h3 class=\"cta__split-heading\"><br>Learn to analyze cyber threats<\/h3>\n\n<!-- Text -->\n<p class=\"cta__split-text\">\nSee a detailed guide to using ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for malware and phishing analysis\n<br \/>\n<br \/>\n<\/p>\n<\/div>\n<!-- CTA Link -->\n<a target=\"_blank\" rel=\"noopener\" id=\"article-banner-split\" href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-in-a-sandbox\/\"><div class=\"cta__split-link\">Read full guide<\/div><\/a>\n<\/div>\n<\/div>\n<!-- CTA Split END -->\n<!-- CTA Split Styles START -->\n<style>\n.cta-split {\noverflow: hidden;\nmargin: 3rem 0;\ndisplay: grid;\njustify-items: center;\nborder-radius: 0.5rem;\nwidth: 100%;\nmin-height: 25rem;\ngrid-template-columns: repeat(2, 1fr);\nborder: 1px solid rgba(75, 174, 227, 0.32);\nfont-family: 'Catamaran Bold';\n}\n\n.cta__split-left {\ndisplay: flex;\nalign-items: center;\njustify-content: center;\nheight: 100%;\nwidth: 100%;\nbackground-color: #161c59;\nbackground-position: center center;\nbackground: rgba(32, 168, 241, 0.1);\n}\n\n.cta__split-icon { \nwidth: 100%;\nheight: auto;\nobject-fit: contain;\nmax-width: 100%;\n}\n\n.cta__split-right {\ndisplay: flex;\nflex-direction: column;\njustify-content: space-between;\npadding: 2rem;\n}\n\n.cta__split-heading { font-size: 1.5rem; }\n\n.cta__split-text {\nmargin-top: 1rem;\nfont-family: Lato, Roboto, sans-serif;\n}\n\n.cta__split-link {\npadding: 0.5rem 1rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: white;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\ndisplay: block;\nz-index: 1000;\nposition: relative;\ncursor: pointer !important;\n}\n\n.cta__split-link:hover {\nbackground-color: #68CBFF;\ncolor: white;\ncursor: pointer;\n}\n\n.highlight { color: #ea2526;}\n\n\n\/* Mobile styles START *\/\n@media only screen and (max-width: 768px) {\n\n.cta-split {\ngrid-template-columns: 1fr;\nmin-height: auto;\n}\n\n.cta__split-left {\nheight: auto;\nmin-height: 10rem;\n}\n\n\n.cta__split-left, .cta__split-right {\nheight: auto;\n}\n\n.cta__split-heading { font-size: 1.2rem; }\n\n.cta__split-text { font-size: 1rem; }\n.cta__split-icon {\nmax-height: auto;\nobject-fit: cover;\n}\n\n}\n\/* Mobile styles END *\/\n<\/style>\n<!-- CTA Split Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\">Key Methods Analyzed&nbsp;<\/h3>\n\n\n\n<p>Let\u2019s analyze <strong>GetMasterKey <\/strong>and<strong> Decrypttttt <\/strong>methods:&nbsp;<\/p>\n\n\n\n<p>1. <strong>GetMasterKey<\/strong>&nbsp;<\/p>\n\n\n\n<p><strong>GetMasterKey<\/strong> retrieves and decrypts the master key used by Google Chrome to protect saved passwords. It reads the encrypted master key from the Local State file located in the Chrome user data directory, then decrypts it for further use.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"310\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-1024x310.png\" alt=\"\" class=\"wp-image-10340\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-1024x310.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-300x91.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-768x233.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-370x112.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-270x82.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f-740x224.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2f.png 1366w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Use of GetMasterKey method<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>The process begins by constructing the path to the Local State file, which stores the encrypted master key.&nbsp;<\/p>\n\n\n\n<p>It first checks for the existence of the Local State file; if the file is absent, the method returns null.&nbsp;<\/p>\n\n\n\n<p>Upon confirming the file&#8217;s presence, the contents are read, and a regular expression is employed to extract the encrypted master key.&nbsp;<\/p>\n\n\n\n<p>The method iterates through the matches to convert the encrypted key from a Base64 string into a byte array.&nbsp;<\/p>\n\n\n\n<p>Notably, a new byte array is created that excludes the first five bytes of the original array, as these bytes do not form part of the actual key.&nbsp;<\/p>\n\n\n\n<p>Finally, the method attempts to decrypt the trimmed key using the <strong>ProtectedData.Unprotect<\/strong> method, which is designed to decrypt data that has been secured with the <strong>ProtectedData.Protect<\/strong> method.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"577\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-1024x577.png\" alt=\"\" class=\"wp-image-10343\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-1024x577.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-300x169.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-768x433.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-370x209.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-270x152.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20-740x417.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image20.png 1407w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The Unprotect method is a function that decrypts data protected by the Windows <strong>Data Protection API<\/strong> (<strong>DPAPI<\/strong>). It first checks if the input data is valid and compatible with NT-based systems.&nbsp;&nbsp;<\/p>\n\n\n\n<p>The method then pins the memory of the encrypted data and any optional entropy to avoid issues during decryption.&nbsp;&nbsp;<\/p>\n\n\n\n<p>It calls <strong>CryptUnprotectData<\/strong> to decrypt the data and handles errors by throwing exceptions when needed.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Finally, it clears sensitive data from memory before releasing resources.&nbsp;<\/p>\n\n\n\n<p><strong>2. Decrypttttt<\/strong>&nbsp;<\/p>\n\n\n\n<p><strong>Decrypttttt <\/strong>method is a function that decrypts a byte array using the Windows <strong>Data Protection API (DPAPI).<\/strong>&nbsp;<\/p>\n\n\n\n<p>It begins by initializing data structures to hold the encrypted data and the decrypted output.&nbsp;<\/p>\n\n\n\n<p>The method pins the input byte array in memory to prevent the garbage collector from moving it during decryption.&nbsp;<\/p>\n\n\n\n<p>After setting up the necessary structures, it calls <strong>CryptUnprotectData<\/strong> API to perform the decryption.&nbsp;<\/p>\n\n\n\n<p>Once the data is decrypted, the method copies the output into a new byte array, converts it to a string, and removes any trailing null characters.&nbsp;<\/p>\n\n\n\n<p>Finally, it returns the decrypted string, ensuring proper handling of sensitive data throughout the process.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"305\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1024x305.png\" alt=\"\" class=\"wp-image-10345\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1024x305.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-300x89.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-768x229.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-370x110.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-270x81.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-740x221.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30.png 1190w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Use of Decrypttttt method<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Let\u2019s get back to <strong>Chrome_Speed<\/strong> function&nbsp;&nbsp;<\/p>\n\n\n\n<p>It combines the URL, username, and password into a formatted string:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>\"\\r\\n============X============\\r\\nURL: \" \n\n    \"\\r\\nUsername: \" \n\n    \"\\r\\nPassword: \" \n\n    \"\\r\\nApplication: Google Chrome\\r\\n=========================\\r\\n \"<\/code><\/pre>\n\n\n\n<p>The formatted string is appended to a collection of stored credentials for further use or exfiltration.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"243\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-1024x243.png\" alt=\"\" class=\"wp-image-10347\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-1024x243.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-300x71.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-768x182.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-370x88.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-270x64.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1-740x176.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image22-1.png 1364w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Extracting Windows Product Key&nbsp;<\/h3>\n\n\n\n<p>The process of extracting the Windows product key involves accessing the system registry and decoding the <strong>DigitalProductID<\/strong>. Here&#8217;s a detailed breakdown:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Accessing the registry&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>First it opens \u201cSoftware\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\u201d registry key&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Fetching DigitalProductID&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Then, the <strong>DigitalProductID<\/strong> is fetched from the registry as a byte array. This ID is used to generate the Windows product key.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Extracting relevant bytes&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>A specific portion of the <strong>DigitalProductID<\/strong> is copied into a new byte array.&nbsp;<\/p>\n\n\n\n<p>The product key is derived from bytes starting at index 52 in the sourceArray.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Decoding the product key&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The outer loop runs 25 times (from 0 to 24) to form the product key. The inner loop processes each byte in reverse (from 14 to 0) to decode and generate the corresponding characters.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"584\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-1024x584.png\" alt=\"\" class=\"wp-image-10348\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-1024x584.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-300x171.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-768x438.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-370x211.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-270x154.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31-740x422.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image31.png 1199w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The process of accessing the system registry and decoding the DigitalProductID<\/em><\/figcaption><\/figure><\/div>\n\n\n<ul class=\"wp-block-list\">\n<li>Formatting the product key&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>The method returns the formatted product key as a string (e.g., XXXXX-XXXXX-XXXXX-XXXXX-XXXXX)&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Getting Victim\u2019s Info&nbsp;&nbsp;<\/h3>\n\n\n\n<p>The process gathers key information about the victim, including:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IP Address&nbsp;<\/li>\n\n\n\n<li>Country&nbsp;<\/li>\n\n\n\n<li>PC Name&nbsp;<\/li>\n\n\n\n<li>Date and Time&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"106\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-1024x106.png\" alt=\"\" class=\"wp-image-10351\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-1024x106.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-300x31.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-768x80.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-370x38.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-270x28.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1-740x77.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image24-1.png 1348w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>It gets the victim\u2019s IP by making a request to: hxxp[:\/\/]checkip[.]dyndns[.]org\/&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"401\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-1024x401.png\" alt=\"\" class=\"wp-image-10352\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-1024x401.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-300x117.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-768x300.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-370x145.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-270x106.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32-740x289.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image32.png 1176w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure><\/div>\n\n\n<p>The country information is retrieved by querying:&nbsp; hxxps[:\/\/]reallyfreegeoip[.]org\/xml\/&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Data format&nbsp;<\/h3>\n\n\n\n<p>The collected information is structured in a formatted string for further use:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"509\" height=\"413\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1.png\" alt=\"\" class=\"wp-image-10354\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1.png 509w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1-300x243.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1-370x300.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image27-1-270x219.png 270w\" sizes=\"(max-width: 509px) 100vw, 509px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\">Getting Clipboard Data&nbsp;<\/h3>\n\n\n\n<p>The process of extracting data from the clipboard involves the following steps:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IsClipboardFormatAvailable<\/strong> checks if the clipboard contains text in Unicode format&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OpenClipboard<\/strong> opens the clipboard to allow examination and retrieval of data&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>GetClipboardData<\/strong> retrieves the data handle from the clipboard in the specified format&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"646\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-1024x646.png\" alt=\"\" class=\"wp-image-10355\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-1024x646.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-300x189.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-768x485.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-370x233.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-270x170.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34-740x467.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image34.png 1230w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Retriaval of Clipboard data<\/em><\/figcaption><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Exfiltration<\/strong>&nbsp;<\/h2>\n\n\n\n<p>Nova supports three data exfiltration methods: <strong>FTP<\/strong>, <strong>SMTP<\/strong>, or <strong>Telegram<\/strong>, depending on the configuration set by the malware author.&nbsp;<\/p>\n\n\n\n<p>It compares the UltraSpeed.QJDFjPqkSr value against specific flags:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&#8220;#FTPEnabled&#8221;: If true, data is exfiltrated via FTP.&nbsp;<\/li>\n\n\n\n<li>&#8220;#SMTPEnabled&#8221;: If true, data is exfiltrated via SMTP.&nbsp;<\/li>\n\n\n\n<li>&#8220;#TGEnabled&#8221;: If true, data is exfiltrated via Telegram.&nbsp;<\/li>\n<\/ul>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"213\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-1024x213.png\" alt=\"\" class=\"wp-image-10356\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-1024x213.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-300x62.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-768x159.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-370x77.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-270x56.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35-740x154.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image35.png 1127w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>UltraSpeed.QJDFjPqkSr value compared against specific flags<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>In this particular sample, the exfiltration method is Telegram:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"669\" height=\"172\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1.png\" alt=\"\" class=\"wp-image-10358\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1.png 669w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1-300x77.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1-370x95.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image30-1-270x69.png 270w\" sizes=\"(max-width: 669px) 100vw, 669px\" \/><\/figure><\/div>\n\n\n<p>As we see, there are no credentials provided for SMTP and FTP servers:<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"996\" height=\"508\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36.png\" alt=\"\" class=\"wp-image-10359\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36.png 996w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36-300x153.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36-768x392.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36-370x189.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36-270x138.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image36-740x377.png 740w\" sizes=\"(max-width: 996px) 100vw, 996px\" \/><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Telegram Exfiltration&nbsp;<\/strong><\/h3>\n\n\n\n<p>The code responsible for exfiltration through Telegram includes details about the bot and its endpoint for sending data:&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"469\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-1024x469.png\" alt=\"\" class=\"wp-image-10361\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-1024x469.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-300x137.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-768x352.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-370x170.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-270x124.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37-740x339.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image37.png 1445w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Telegram exfiltration<\/em><\/figcaption><\/figure><\/div>\n\n\n<p><strong>Telegram API endpoint<\/strong>: hxxps[:\/\/]api[.]telegram[.]org\/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"561\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-1024x561.png\" alt=\"\" class=\"wp-image-10362\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-1024x561.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-300x164.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-768x421.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-370x203.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-270x148.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38-740x406.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image38.png 1286w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Process communication with Telegram detected by ANY.RUN sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nTry all features of ANY.RUN&#8217;s <span class=\"highlight\">Interactive Sandbox<\/span> for free&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=nova_malware_analysis&#038;utm_term=111224&#038;utm_content=linktodemo\" rel=\"noopener\" target=\"_blank\">\nGet 14-day trial\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>JSON Responses from the Telegram Bot API<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The provided images showcase <strong>JSON responses<\/strong> retrieved from the Telegram Bot API. These responses contain detailed information about bots that are directly associated with the <strong>NOVA<\/strong> family of malware.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"354\" height=\"236\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image39.png\" alt=\"\" class=\"wp-image-10364\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image39.png 354w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image39-300x200.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image39-270x180.png 270w\" sizes=\"(max-width: 354px) 100vw, 354px\" \/><figcaption class=\"wp-element-caption\">Information about a bot with the username &#8220;skullsnovabot&#8221;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"338\" height=\"232\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3a.png\" alt=\"\" class=\"wp-image-10365\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3a.png 338w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3a-300x206.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3a-270x185.png 270w\" sizes=\"(max-width: 338px) 100vw, 338px\" \/><figcaption class=\"wp-element-caption\">Information about a bot with the username &#8220;onumenbot&#8221;<\/figcaption><\/figure><\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"384\" height=\"254\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3b.png\" alt=\"\" class=\"wp-image-10366\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3b.png 384w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3b-300x198.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3b-370x245.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image3b-270x179.png 270w\" sizes=\"(max-width: 384px) 100vw, 384px\" \/><figcaption class=\"wp-element-caption\">Information about a bot with the username &#8220;santigeebot&#8221;<\/figcaption><\/figure><\/div>\n\n\n<h3 class=\"wp-block-heading\"><strong>Code Reference to &#8220;NOVA&#8221;<\/strong>&nbsp;<\/h3>\n\n\n\n<p>The malware\u2019s source code explicitly mentions <strong>&#8220;NOVA&#8221;<\/strong>, reinforcing its attribution to this specific malware family.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"712\" height=\"222\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2.jpg\" alt=\"\" class=\"wp-image-10369\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2.jpg 712w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-300x94.jpg 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-370x115.jpg 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/12\/image2-270x84.jpg 270w\" sizes=\"(max-width: 712px) 100vw, 712px\" \/><\/figure><\/div>\n\n\n<h2 class=\"wp-block-heading\"><strong>Conclusion<\/strong>&nbsp;<\/h2>\n\n\n\n<p>The Nova variant of the Snake Keylogger represents a significant evolution of its predecessor, with advanced evasion techniques and a broader array of data exfiltration capabilities.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Written in VB.NET, Nova leverages obfuscation methods such as Net Reactor Obfuscator and utilizes process hollowing to evade detection, making it a more persistent and stealthy threat. Through its sophisticated techniques, including credential harvesting from a wide variety of browsers, email clients, and other sensitive data, Nova demonstrates its ability to target both personal and corporate systems effectively.&nbsp;<\/p>\n\n\n\n<p>The malware is capable of extracting a wide range of valuable information, including saved passwords, credit card details, and system keys, from both browsers and email clients. In addition, its ability to gather data from a victim\u2019s clipboard and exfiltrate it via multiple channels\u2014such as FTP, SMTP, or Telegram\u2014demonstrates its adaptability and versatility.&nbsp;<\/p>\n\n\n\n<p>While the use of Telegram as the exfiltration method in this specific sample shows a shift towards more covert communication, the ability to switch exfiltration methods allows the malware to avoid detection by security systems that might block certain channels. The malware&#8217;s integration with popular tools like Telegram also indicates its use in large-scale, automated cybercrime activities, making it a serious threat to organizations and individuals alike.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN<\/h2>\n\n\n\n<p>ANY.RUN helps more than 500,000 cybersecurity professionals worldwide. Our <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=nova_malware_analysis&amp;utm_term=111224&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">interactive sandbox<\/a> simplifies malware analysis of threats that target both Windows and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">YARA Search<\/a> and <a href=\"https:\/\/any.run\/cybersecurity-blog\/ti-feeds-integration\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find <a href=\"https:\/\/any.run\/cybersecurity-blog\/indicators-of-compromise\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in seconds<\/li>\n\n\n\n<li>Interact with samples in real time<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=nova_malware_analysis&amp;utm_term=111224&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Get a 14-day free trial to test all features of ANY.RUN&#8217;s Interactive Sandbox \u2192<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">IOCs<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Nova<\/strong>:&nbsp;&nbsp;<\/h3>\n\n\n\n<p>68f5247bd24e8d5d121902a2701448fe135e696f8f65f29e9115923c8efebee4&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dropped files&nbsp;<\/h3>\n\n\n\n<p>C:\\Users\\admin\\AppData\\Local\\Temp\\fondaco afb1dae7a6f2396c3d136e60144b02dd03c59ab10704918185d12ef8c6d7ec93&nbsp;<\/p>\n\n\n\n<p>C:\\Users\\admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\neophobia.vbs 66dbb9c8deadea9f848b1b55405738d8a65a733c804f1444533607c20584643e&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">C2 URL<\/h3>\n\n\n\n<p>hxxps:\/\/api[.]telegram[.]org\/bot7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI\/sendDocument&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Bot Token<\/h3>\n\n\n\n<p>7479124552:AAELHYVLYxHEQdxzK-H17KRix-YKXifzKCI&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Chat ID&nbsp;<\/h3>\n\n\n\n<p>5679778644&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>MITRE ATT&amp;CK Techniques<\/strong><\/h3>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-214\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"3\"\n           data-rows=\"11\"\n           data-wpID=\"214\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Category\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Technique\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell \"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:33.333333333333%;                    padding:10px;\n                    \"\n                    >\n                                        Details\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Persistence\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Boot or Logon Autostart Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Registry Run Keys \/ Startup Folder\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Privilege Escalation\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Boot or Logon Autostart Execution\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Registry Run Keys \/ Startup Folder\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Defense Evasion\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Impair Defenses\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Disable Windows Event Logging\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credential Access\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credentials from Password Stores\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credentials from Web Browsers\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credential Access\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Unsecured Credentials\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C6\"\n                    data-col-index=\"2\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Credentials In Files\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Software Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell  wpdt-merged-cell \"\n                     colspan=\"1\"  rowspan=\"5\"                     data-cell-id=\"C7\"\n                    data-col-index=\"2\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Security Software Discovery\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Query Registry\u00a0                    <\/td>\n                                                    <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A9\"\n                    data-col-index=\"0\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B9\"\n                    data-col-index=\"1\"\n                    data-row-index=\"8\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Network Configuration Discovery\u00a0                    <\/td>\n                                                    <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A10\"\n                    data-col-index=\"0\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Discovery\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B10\"\n                    data-col-index=\"1\"\n                    data-row-index=\"9\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        System Information Discovery\u00a0                    <\/td>\n                                                    <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A11\"\n                    data-col-index=\"0\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Command and Control (C&C)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B11\"\n                    data-col-index=\"1\"\n                    data-row-index=\"10\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Web Services\u00a0                    <\/td>\n                                                    <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-214'>\ntable#wpdtSimpleTable-214{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-214 td, table.wpdtSimpleTable214 th { white-space: normal !important; }\n<\/style>\n\n","protected":false},"excerpt":{"rendered":"<p>Editor\u2019s note: The current article is authored by Mostafa ElSheimy, a malware reverse engineer and threat intelligence analyst. You can find Mostafa on&nbsp;X&nbsp;and&nbsp;LinkedIn.&nbsp; In this malware analysis report, we will delve into Nova, a newly discovered fork of the Snake Keylogger family. This variant has been observed employing even more sophisticated tactics, signaling the continued [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":10385,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[57,10,15,34,40],"class_list":["post-10316","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis","tag-malware-behavior"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Analysis of Nova: A Snake Keylogger Fork - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Read an in-depth analysis of Nova, a newly discovered fork of the Snake Keylogger family, that employs more sophisticated tactics.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mostafa ElSheimy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\"},\"author\":{\"name\":\"Mostafa ElSheimy\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"Analysis of Nova: A Snake Keylogger Fork\",\"datePublished\":\"2024-12-11T10:31:03+00:00\",\"dateModified\":\"2024-12-11T10:31:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\"},\"wordCount\":2377,\"commentCount\":2,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\",\"malware behavior\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\",\"name\":\"Analysis of Nova: A Snake Keylogger Fork - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2024-12-11T10:31:03+00:00\",\"dateModified\":\"2024-12-11T10:31:04+00:00\",\"description\":\"Read an in-depth analysis of Nova, a newly discovered fork of the Snake Keylogger family, that employs more sophisticated tactics.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Analysis of Nova: A Snake Keylogger Fork\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"Mostafa ElSheimy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp\",\"caption\":\"Mostafa ElSheimy\"},\"description\":\"Mostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs (Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work focuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats. Find him on X and LinkedIn.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Analysis of Nova: A Snake Keylogger Fork - ANY.RUN&#039;s Cybersecurity Blog","description":"Read an in-depth analysis of Nova, a newly discovered fork of the Snake Keylogger family, that employs more sophisticated tactics.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/","twitter_misc":{"Written by":"Mostafa ElSheimy","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/"},"author":{"name":"Mostafa ElSheimy","@id":"https:\/\/any.run\/"},"headline":"Analysis of Nova: A Snake Keylogger Fork","datePublished":"2024-12-11T10:31:03+00:00","dateModified":"2024-12-11T10:31:04+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/"},"wordCount":2377,"commentCount":2,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis","malware behavior"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/","url":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/","name":"Analysis of Nova: A Snake Keylogger Fork - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-12-11T10:31:03+00:00","dateModified":"2024-12-11T10:31:04+00:00","description":"Read an in-depth analysis of Nova, a newly discovered fork of the Snake Keylogger family, that employs more sophisticated tactics.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/nova-keylogger-malware-analysis\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"Analysis of Nova: A Snake Keylogger Fork"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"Mostafa ElSheimy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2024\/08\/MostafaElSheimy.webp","caption":"Mostafa ElSheimy"},"description":"Mostafa ElSheimy is a malware reverse engineer and threat intelligence analyst, specializing in analyzing TTPs (Tactics, Techniques, and Procedures) and crafting YARA rules to detect and counter cyber threats. Mostafa's work focuses on dissecting malware to uncover hidden dangers and protect organizations from emerging threats. Find him on X and LinkedIn.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10316"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=10316"}],"version-history":[{"count":38,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10316\/revisions"}],"predecessor-version":[{"id":10396,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/10316\/revisions\/10396"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/10385"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=10316"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=10316"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=10316"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}