Quick analysis of malware created with NSIS

Published: 2018-05-27
Last Updated: 2018-05-27 15:45:18 UTC
by Didier Stevens (Version: 1)
0 comment(s)

Reader Ruben submitted a malicious executable (MD5 905a5167b248647ce31d57d241aacd63):

This PE file (analyzed here with pecheck.py) contains a section named .ndata, that's an indicator that this executable was created with the Nullsoft Scriptable Install System (NSIS).

We're taking this sample as an opportunity to show some simple methods to analyze executables created with NSIS.

7-Zip is able to extract the content of NSIS installers:

The malware contains 2 executables: patch.exe and setup.exe (and a plugin DLL).

What I did not know, but learned from this page, is that older versions of 7-Zip can decompile the NSIS setup script too. Here I'm using 7-Zip version 15.05:

Be careful with this older version of 7-Zip, it is vulnerable and exploitable (I perform this quick analysis inside a virtual machine).

Here is the decompiled script:

Of particular interest is the following code:

CLSID 0x1A used with function SHGetSpecialFolderPath gives the user's AppData folder. This setup script will create a folder 1337 inside the user's AppData folder, write patch.exe and setup.exe to this folder and launch these executables.

We can extract these executables, and just by looking at the icons, it's likely that patch.exe is a self-extracting RAR file. 7-Zip can handle these too:

setup.exe turns out to be another NSIS-created executable:

This script will install a Windows service (AdobeFlashPlayerHash):

Remark the message box at the end of the function, added to social-engineer the user into believing that there was a problem with the installation.

The Windows service executable itself (client.exe) turns out to be packed with UPX, we can see this because 7-Zip can also show/extract PE file sections:

Unpacking UPX-compressed PE files is simple (upx -d). And just by searching for strings that match a URL regex in this executable, we can find valuable IOCs:

The results of this quick static analysis can be checked via dynamic analysis:

If you prefer command-line analysis tools, or tools that can run on Linux or OSX, take a look at the NSIS decompiling page.

Didier Stevens
Microsoft MVP Consumer Security
blog.DidierStevens.com DidierStevensLabs.com

0 comment(s)


Diary Archives