Whenever I analyze malicious .msi files, there were questions about the structure and function of .msi. Of course, most of them are just simple installers. But sometimes it has a lot of functions and it is hard to analyze, So i decide to find a way to analyze properly.

1. 7z

If you open file 800db6507256cde0514990f2bf0a414a with 7z, you can see the following structure. Note that the “Binary._D7D112F049BA1A655B5D9A1D0702DEE5” is a .exe, which has no extension though.

In contrast, the structure of eecb8098f5de87a26d5d1780f7552033 is as follows

In fact, the pe file exists in the cab file inside the msi, but 7z automatically extracts and shows it inside the cab file. But if you open it with “ 7-Zip -> Open archive -> * ” of context menu, you get the simillar result as before.

2. Orca

7z is useful for viewing internal files, but can’t analyze actual functionality of msi. Orca is a tool that displays various information of msi files. You can find it by googleling with the “Orca msi installer”. ( Orca.msi : 710ae2be53e11f3d5c5f8cfccce76a3a )

Open the msi file with Orca and you will see the following tables. In this section, we will focus on the parts necessary for malware analysis.

a. File Table

This msi file d8d4facbe26427176cf8801d03c69c45 contains disk1.cab inside the file, which contains four files that can be seen in the screenshot below. Not sure, but if the internal file exists inside the .cab, it looks like this in the File Table.

b. Binary Table

The following is the 800db6507256cde0514990f2bf0a414a file mentioned earlier. If the file is not inside the .cab but directly inside the msi file, it appears to be in the binary table.

c. Component Table

Again d8d4facbe26427176cf8801d03c69c45. The component table is assumed to be a table having a function for specifying where files existing in the .cab are installed, that is, where they are dropped.

d. Registry Table

d8d4facbe26427176cf8801d03c69c45 is a feature-rich msi malware. It can also register values in the registry key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations using msi’s Registry Table feature.

e. CustomAction Table

The most important table. Unlike other tables, you need to see the details of each action item.

e.1. Custom

800db6507256cde0514990f2bf0a414a

First of all, the simplest is 800db6507256cde0514990f2bf0a414a. As mentioned earlier, the actual malicious code is included in the binary table under the name _D7D112F049BA1A655B5D9A1D0702DEE5. For reference, you can see the name Binary._D7D112F049BA1A655B5D9A1D0702DEE5 with 7z.

In the screenshot below, the Action is _D7D112F049BA1A655B5D9A1D0702DEE5 and the Source is _D7D112F049BA1A655B5D9A1D0702DEE5. The important thing to note here is that the Action can be any value (without the exe extension), and it will execute the file existing in the Source.

f9d3b6dc33077979720e149ece6bc6ac

Of course, for most msi files, the internal files will have an extension to make them easier to identify. f9d3b6dc33077979720e149ece6bc6ac runs jjtur.js (which exists in the Binary Table), the value of Source.

f3a20a781bcc6122981ff9caa7ed5580

Some unusual cases also exist. f3a20a781bcc6122981ff9caa7ed5580 does not have a Source but only a Target, which contains malicious JScript code. You can see that this JScript exists in the! _StringData file. (Exists on next line after DFNLFP34314BAEL)

In addition to JScript, several strings exist in the! _StringData file, and all used strings such as error strings in the Error Table are assumed to be stored here.

e.2. ExecuteScriptCode

Action ExecuteScriptCode is also one of the most frequently used. (d8d4facbe26427176cf8801d03c69c45) Below you can see the malicious VBScript code in ExecuteScriptCode. Similarly in! _StringData.

ExecuteScriptCode can contain JScript in addition to VBScript. (a8123c2e3a8a51685c2287ee26b28a9d)