nightMARE is a Python library for reverse engineering and malware analysis that centralizes static analysis, emulation, and malware-family algorithms using Rizin and Unicorn to reduce dependencies and duplicated code. The article demonstrates building a LUMMA configuration extractor (including ChaCha20 context extraction and emulation-driven decryption) and lists covered malware families. #LUMMA #Rizin
Keypoints
- nightMARE v0.16 is a Python library that consolidates reverse engineering features (disassembly, pattern matching, data reading) and emulation to simplify malware analysis workflows.
- The project replaced many third-party modules by integrating Rizin via rz-pipe for disassembly and analysis, reducing maintenance complexity.
- An emulation module built on Unicorn provides a lightweight Windows PE emulator (WindowsEmulator) that supports stack manipulation, memory management, hooks, and IAT hooking for calling in-binary functions.
- The library is organized into analysis, core, and malware modules; the malware module contains per-family implementations for config extraction, crypto, and unpacking (e.g., LUMMA, Netwire, Remcos, Smokeloader).
- The article provides a step-by-step example extracting LUMMA C2 domains: locating ChaCha20 key/nonce via pattern matching, finding the decryption function, reading encrypted C2 data, and using emulation to call the binary’s decryption routine.
- The LUMMA extractor handles a reused ChaCha20 context with an internal counter and demonstrates allocating memory, writing the crypto context, pushing arguments, emulating the call, and reading decrypted domains.
- nightMARE source and example code (including the full LUMMA implementation) are available for download and contribution; maintainers welcome community help due to malware evolution.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Using Rizin and Python scripts to run disassembly and pattern-matching commands to locate code and data (article shows functions like “find_pattern” and “disassemble” to retrieve addresses): ‘…we pattern match this part of the code, then extract the addresses g_key_0 (key) and g_key_1 (nonce) from the instructions.’
- [T1204 ] User Execution – Loading and executing code snippets within an emulator to reproduce binary behavior and call in-binary functions (the emulation module uses Unicorn to run code and IAT hooks to intercept imports): ‘…we can directly call the function already present in the binary to decrypt our domains, using nightMARE’s emulation module.’
- [T1040 ] Network Traffic Discovery (Credentials, C2) – Extracting C2 domains from encrypted data blobs in the binary by locating and decrypting the embedded C2 list: ‘…we will use xrefs from the decryption function…we can easily find where it is called to decrypt the domains.’
- [T1016 ] System Network Configuration Discovery – Reading WinHTTP import usage to determine when the ChaCha20 context is initialized after loading WinHTTP.dll and using that timing to locate crypto setup: ‘…LUMMA performs the initialization of its cryptographic context after loading WinHTTP.dll…we pattern match this part of the code…’
- [T1497 ] Virtualization/Sandbox Evasion (Emulation-aware behavior) – Using a lightweight emulation environment (no full OS/DLL emulation) to execute short code sequences and handle in-binary crypto without full OS simulation, reflecting evasion-aware analysis choices: ‘…the goal is not to completely emulate a Windows executable…but to offer a simple way to execute code snippets or short sequences of functions while knowing its limitations.’
Indicators of Compromise
- [File Hash ] LUMMA sample used as reference – 26803ff0e079e43c413e10d9a62d344504a134d20ad37af9fd3eaf5c54848122
- [Domains ] Decrypted LUMMA C2 domains observed – mocadia[.]com, mastwin[.]in (and additional domains like ordinarniyvrach[.]ru, yamakrug[.]ru)
- [File Name ] Windows binary used in emulation example – DismHost.exe (path: C:WindowsSystem32DismDismHost.exe) used to demonstrate IAT hooking for Sleep)
Read more: https://www.elastic.co/security-labs/nightmare-on-0xelm-street