3 minutes read

I’m trying to unpack Shade ransomware, the sample is relatively new 2017-11-01 : c02153dce99eb8730806cfe19a3f29e3d4e3fad796f4eb15962b74fb2e55fe47.

For behavior analysis we can use report from hybrid-analysis.com.

It uses NSIS which helps developers to create Windows installers:

NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. It is designed to be as small and flexible as possible and is therefore very suitable for internet distribution.

We can extract .nsi script from the installer and analyze this, instead of working with the executable. We need 7-zip 15.05 due to after that version 7-zip does not supports extracting .nsi script files.

You can download extracted script from the Gist link.

Seems like this script is modified version of a script for a legitimate tool called smartmontools , all malicious calls are at .onInit , which executes when we open the executable.

It uses System plugin from NSIS , which is very powerful one (the plugin is packed into the original executable and called system.dll ), you can call any function from any dll via the plugin.

For example, System::Call "kernel32::GetModuleHandle(t 'user32.dll') p .s" , it’s kind of proxy, we need to understand the script to get idea what happens, for more information about the plugin, visit official page.

I recreate malicious part of the script and add some comments, it helps you to understand how the malware works:

We can set a breakpoint at System::Call function and when it calls the last function System::Call "$5p r13, i 863248)" , it jumps to destination address:

Now we are inside shellcode:

Note: there are different destination/start of shellcode addresses, due to screenshots are from different tries

From there it finds necessary function addresses and decrypts part of included file - 779973275 , the shellcode is also part of the file. The decrypted data is PE file:

After that it uses process hollowing technique to execute decrypted file:

Note: for more information about process hollowing you can read my previous posts

The extracted file is packed with normal UPX , which is very simple to unpack.

You can download extracted and unpacked sample of shade ransomware from hybrid-analysis and/or virustotal .

Any feedback appreciated.

Twitter: @_qaz_qaz