skip to content
secrary[dot]com

Unpacking Shade Ransomware

/

ransomware , malware-analysis

I’m trying to unpack the Shade ransomware. The sample is relatively new (2017-11-01): VirusTotal Analysis.

For behavior analysis, we can use the report from Hybrid Analysis.

Overview of NSIS

The ransomware uses NSIS (Nullsoft Scriptable Install System), which helps developers create Windows installers.

NSIS is a professional open-source system designed to create Windows installers. It is small and flexible, making it suitable for internet distribution.

NSIS Overview

We can extract the .nsi script from the installer and analyze it instead of working directly with the executable. Note that we need 7-zip 15.05, as later versions do not support extracting .nsi script files.

Extracting NSIS Script

You can download the extracted script from the Gist: Extracted Script.

It seems that this script is a modified version of a legitimate tool called smartmontools. All malicious calls are located in the .onInit section, which executes when we open the executable.

NSIS System Plugin

The script uses the System plugin from NSIS, which is very powerful. This plugin is packed into the original executable and is called system.dll. It allows you to call any function from any DLL via the plugin.

System Plugin

For example, the command System::Call "kernel32::GetModuleHandle(t 'user32.dll') p .s" acts as a proxy. We need to understand the script to grasp what happens. For more information about the plugin, visit the official page.

I recreated the malicious part of the script and added comments to help you understand how the malware works:

We can set a breakpoint at the System::Call function. When it calls the last function System::Call "$5p r13, i 863248)", it jumps to the destination address:

Breakpoint

Analyzing the Shellcode

Now we are inside the shellcode:

Shellcode

Note:

There are different destination/start addresses for the shellcode, as the screenshots are from different attempts.

From this point, it finds the necessary function addresses and decrypts part of the included file - 779973275. The shellcode is also part of the file. The decrypted data is a PE file:

Decrypted PE File PE File

After that, it uses the process hollowing technique to execute the decrypted file:

Process Hollowing
Note:

The extracted file is packed with UPX, which is very simple to unpack.

You can download the extracted and unpacked sample of Shade ransomware from Hybrid Analysis and/or VirusTotal.

Any feedback is appreciated.