Open in app

Sign in

Write

Sign in

[Mal Series #6] AutoIT Analysis Guide

GhouLSec
3 min readJun 6, 2020

--

Here are some tips to analyze the AutoIT malware.

So far, I have encounter these two types of AutoIT malware:

  1. PE embedded with AutoIT script that can be found in the resource section.
  2. AutoIT script loader (clean) and input file (malicious)

Analyzing tools for AutoIT:

Analysis

1st type of AutoIt malware is pretty straight foward, just insert the PE file into Exe2Aut and you will get the AutotIT script in plain text that embed inside of it. It will generate a .au3 file which can be open using AutoIT debugger for better analysis.

For 2nd type of AutoIt malware, it payload from a raw encrypted au3 files instead of embeded script in a PE file. You can find the au3 script magic bytes AU!EA06(06 here is the subtype of the script), inside of its hex dump as shown in the picture below.

Looking for AU3!EA0 to determine whether it is a valid au3 script file

To anaylse it statically, we need another tool called myAut2Exe which can scan and decrypt the encrypted autoit payload according to its version. It has manual and automatic scan in the tab Scan File for analyst to have some customize scan on the payload file.

After the scan, it will generate a .au3 script which shows the full code of the payload in plain text. Then, load it in a AutoIT debugger for further analysis as the myAut2Exe can’t load the fullscript of the decrypted code in its window. Syntax highlighting also the matter too.

.au3 script in AutoIT debugger, looks better huh :D

To debug it you can set breakpoint to the line that you want script to stop at. However, the downside of the debugger is that it only support step intodebug only, it would be time consuming if we want to debug a very long script.

To continue our analysis, we can debug it in the xdbg32 and set the breakpoint on any Windows API call that found in the script. In the AutoIt script, it can see that it keeps calling the functionCallWindowProc which is a trick to execute the embedding shellcode in Windows scripts. Therefore, these shellcode can be extracted for further static analysis.

Here is the simple POC of CallWindowProc to execute the shellcode.

Sha256:

c46a631f0bc82d8c2d46e9d8634cc50242987fa7749cac097439298d1d0c1d6e

adaffcb21f17057830ce8c60d1e852fe82035c153d6125aaed75a8b1d03e7518

References:

Information Stealer Found Hitting Israeli Hospitals - TrendLabs Security Intelligence Blog

The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We've seen a plethora of threats…

blog.trendmicro.com

AutoIt Malware: From Compiled Binary to Plain-Text Script

AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a…

r3mrum.wordpress.com

A Walk Through AutoIT Malware

In this post, we'll walk through the analysis of a piece of AutoIT malware. AutoIt is a scripting language and…

forums.juniper.net

CallWindowProcA function (winuser.h) - Win32 apps

Passes message information to the specified window procedure. LRESULT CallWindowProcA( WNDPROC lpPrevWndFunc, HWND…

docs.microsoft.com

Malware Analysis
Cybersecurity
Reverse Engineering
Malware
Programming

--

--

GhouLSec

Written by GhouLSec

219 Followers

Typical memes addict🐒from Malaysia. GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams