Setup.exe turns out to be another NSIS-created executable: We can extract these executables, and just by looking at the icons, it's likely that patch.exe is a self-extracting RAR file. This setup script will create a folder 1337 inside the user's AppData folder, write patch.exe and setup.exe to this folder and launch these executables. Of particular interest is the following code:ĬLSID 0x1A used with function SHGetSpecialFolderPath gives the user's AppData folder. Here I'm using 7-Zip version 15.05:īe careful with this older version of 7-Zip, it is vulnerable and exploitable (I perform this quick analysis inside a virtual machine). What I did not know, but learned from this page, is that older versions of 7-Zip can decompile the NSIS setup script too. The malware contains 2 executables: patch.exe and setup.exe (and a plugin DLL). We're taking this sample as an opportunity to show some simple methods to analyze executables created with NSIS.ħ-Zip is able to extract the content of NSIS installers: ndata, that's an indicator that this executable was created with the Nullsoft Scriptable Install System (NSIS). This PE file (analyzed here with pecheck.py) contains a section named. Reader Ruben submitted a malicious executable (MD5 905a5167b248647ce31d57d241aacd63):
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |