Unpacking Shade Ransomware3 minutes read
I’m trying to unpack
Shade ransomware, the sample is relatively new
For behavior analysis we can use report from hybrid-analysis.com.
NSIS which helps developers to create Windows installers:
NSIS (Nullsoft Scriptable Install System) is a professional open source system to create Windows installers. It is designed to be as small and flexible as possible and is therefore very suitable for internet distribution.
We can extract
.nsi script from the installer and analyze this, instead of working with the executable. We need
7-zip 15.05 due to after that version
7-zip does not supports extracting
.nsi script files.
You can download extracted script from the Gist link.
Seems like this script is modified version of a script for a legitimate tool called
smartmontools, all malicious calls are at
.onInit, which executes when we open the executable.
System plugin from
NSIS, which is very powerful one (the plugin is packed into the original executable and called
system.dll), you can call any function from any
dll via the plugin.
System::Call "kernel32::GetModuleHandle(t 'user32.dll') p .s", it’s kind of proxy, we need to understand the script to get idea what happens, for more information about the plugin, visit official page.
I recreate malicious part of the script and add some comments, it helps you to understand how the malware works:
We can set a breakpoint at
System::Call function and when it calls the last function
System::Call "$5p r13, i 863248)", it jumps to destination address:
Now we are inside shellcode:
Note: there are different destination/start of shellcode addresses, due to screenshots are from different tries
From there it finds necessary function addresses and decrypts part of included file -
779973275, the shellcode is also part of the file.
The decrypted data is
After that it uses
process hollowing technique to execute decrypted file:
Note: for more information about process hollowing
you can read my previous posts
The extracted file is packed with normal
UPX, which is very simple to unpack.
Any feedback appreciated.