Skip to content
This repository has been archived by the owner on Jul 20, 2022. It is now read-only.

Latest commit

 

History

History
119 lines (98 loc) · 3.84 KB

README.md

File metadata and controls

119 lines (98 loc) · 3.84 KB
Raw

DISCLAIMERS

The information contained in this repo is for educational purposes ONLY! I DO NOT hold any responsibility for any misuse or damage of the information provided in my blog posts, discussions, activities, repositories, or exercises.

Nemo

What does it do:

  • Manipulates local and domain policies
    • Disables Windows Firewall.
    • Disables Windows task manager.
    • Disables selected binaries.
  • Deletes Windows Defender AV signature database.
  • Deletes Windows Defender.
  • Creates a Powershell profile.
    • Drops firewall rules
    • Starts WinRM & RDP.
    • Creates users.
    • Remaps powershell aliases
  • Hides processes, files, and directories that start with $vmware-{whatever}
  • Runs multiple processes to do different tasks mentioned below.
  • Removes everything from event manager (The initial deployment)

List of processes:

Example:

What is it

  • Real binary name: KeyChain.exe
  • Real binary path: {path}
  • Hidden binary name: $vmware-005.exe
  • Hidden binary path: {path}
  • Description:
    • It does something.

Keylogger

  • Real binary name: KeyChain.exe
  • Real binary path: {path}
  • Hidden binary name: $vmware-005.exe
  • Hidden binary path: {path}
  • Description:
    • It sends everything back to :80/bose.php.

Callbacks

  • Real binary name: PFRE.exe
  • Real binary path: C:\Windows\
  • Hidden binary name: $vmware-001.exe
  • Hidden binary path: C:\ProgramData\Microsoft\Windows\Caches\
  • Description:
    • This binary sends back a shell to S-Nemo.py

Malware

  • Real binary name: WinHypro.exe
  • Real binary path: C:\Windows\
  • Hidden binary name: $vmware-002.exe
  • Hidden binary path: C:\ProgramData\Microsoft\Windows\Caches\
  • Description:
    • Infects every new file in the system according to your needs.
    • Removes for all Sysinternals binaries.

Nemo.exe

  • Real binary name: Wherever you want
  • Real binary path: Wherever you want
  • Hidden binary name: Has no hidden process
  • Hidden binary path: Has no hidden process
  • Description:
    • This is the implant that downloads, configures, and installs all the needed files.
    • It needs to run once. It's the process that starts everything.

Installing Rootkit

  • Real binary name: NT.exe
  • Real binary path: C:\Program Files\Windows NT\
  • Hidden binary name: Has no hidden process since it runs once
  • Hidden binary path: Has no hidden process since it runs once
  • Description:
    • NT.exe is what loads .dll into

Checker

  • Real binary name: WMSys.exe
  • Real binary path: C:\Windows\
  • Hidden binary name:$vmware-000.exe
  • Hidden binary path: C:\ProgramData\Microsoft\Windows\Caches\
  • Description:
    • This binary makes sure that Nemo implant is running aka makes sure that Red-Team has a shell by checking that $vmware-001.exe and $vmware-002.exe are running.
    • Resets and appends firewall rules

Clean.exe

  • Real binary name: Wherever you want
  • Real binary path: Wherever you want
  • Hidden binary name: Has no hidden process
  • Hidden binary path: Has no hidden process
  • Description:
    • This binary cleans almost every evidence after deploying Nemo

Execution flow

Diagram Symbols:

DNemo

Flow:

Nemo

In action:

First interaction with the RedTeam server to download the needed malware.

Nemo

Beaconing to pwnboard.

Nemo

Hidden processes.

Nemo

Integrated projects: