Bottom line, any time you have the opportunity to obtain and analyze the original source code, you take it!Įxe2Aut is an application that enables simple drag-and-drop decompilation of compiled AutoIt scripts. With the standalone executable, the malicious payload will be presented as a single. This is just how this particular miscreant decided to trick the victim into running their malware. Note that the method for getting the unsuspecting victim to execute the malicious AutoIt payload will likely differ between samples.
#DECOMPILING AN AUTOIT EXE CODE#
We can see how this malware is executed by inspecting the specified targets of the shortcut files also present within the same directory Figure 6.Īs expected, the malicious code is executed by passing in the compiled AutoIt Script WinddowsUpdater. The contents of this particular script is shown in Figure 5. In the example provided in Figure 1, this would be WinddowsUpdater. In order for it to facilitate malicious code execution, the interpreter must be fed a script. The AutoIt interpreter, by itself, is benign. Figure 4 shows that the hash for WinddowsUpdater. Third, you can compare the hash of the file in question to the hash of the actual AutoIt3. Second, if you inspect the version information for this file within PEStudio, you will see multiple references to AutoIt medium fidelity Figure 3. The first sign that is the case is the icon for the file, which is the AutoIt icon extremely low fidelity Figure 2. Here is an example of one such malicious sample.
#DECOMPILING AN AUTOIT EXE HOW TO#
I will, however, attempt to provide you with a starting point by showing you how to get from a compiled AutoIt binary to a plain-text script. Unfortunately, there are way too many different ways that malware authors have leveraged AutoIt for me to write a one-analysis-fits-all post. Now, the rest of the work is easy.AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. The obfuscator used by MASAD and QULAB is the same. A picture of the main function from the blog is shown below Figure 8: Picture from QULAB malware blog This main function looks familiar, it is a copy of man function described in the blog about Qulab malware. Figure 7: Main function after tokens have been replaced with mnemonics After you have replaced all of the tokens with mnemonics, it will look something like Figure 7. Since it is a small function, let’s replace tokens manually. A complete mapping of opcodes/tokens to mnemonics can found in the source code of myExe2Aut DeTokeniser.bas here. 33corresponds to Func, 13-> EndFunc, 15 -> To 33 -> EndFun and so on. It looks strange, myAut2Exe has been able to decompile the whole malware code, but it hasn’t been able to correctly maps the opcodes/tokens to mnemonics. Figure 6: Main function of the decompiled script. It will generate the decompiled code file masad_3 in the current folder.
drag and drop the malware and click on Scan File-> Automated Figure 5: Decompiling executable with myAut2Exe The directive is used to specify the main function of the script, and it can’t be found in the file.ĭon’t worry! There is another excellent tool available: myAutToExe . Unfortunately, ClamAV only able to decompile it partially.
So it seems like ClamAV has been able to decompile the file. The first few lines of the file are shown in Figure 4. \tmp\clamav-.tmp\autoit.001 and apply AU3 formating. Where -leave-temps option instruct Clamscan to leave the temporary generated during analysis, and -tempdir specifies the path of the directory to use for temporary files. Now, that is interesting, it fails with a strange error.ĬlamAV can also decompile AutoIt executables. Opening a binary in ExeInfo PE shows that malware is an AutoIT compiled executable as shown in figure 1 Figure 1Įxe2Aut can be used to decompile an executable to AutoIT code. I will be analyzing the first sample Juniper blog’s IOC section. Its analysis covers most of the challenges faced by malware analysts while analyzing scripting language based malwares. They did a pretty good writeup of malware capabilities but didn’t include many details about how they analyzed the malware. A couple of months ago, Juniper published a blog about Masad Stealer.
0 kommentar(er)
