[Mal Series #6] AutoIT Analysis Guide

Here are some tips to analyze the AutoIT malware.

So far, I have encounter these two types of AutoIT malware:

  1. PE embedded with AutoIT script that can be found in the resource section.
  2. AutoIT script loader (clean) and input file (malicious)

Analyzing tools for AutoIT:

Analysis

For 2nd type of AutoIt malware, it payload from a raw encrypted au3 files instead of embeded script in a PE file. You can find the au3 script magic bytes AU!EA06(06 here is the subtype of the script), inside of its hex dump as shown in the picture below.

Looking for AU3!EA0 to determine whether it is a valid au3 script file

To anaylse it statically, we need another tool called myAut2Exe which can scan and decrypt the encrypted autoit payload according to its version. It has manual and automatic scan in the tab Scan File for analyst to have some customize scan on the payload file.

After the scan, it will generate a .au3 script which shows the full code of the payload in plain text. Then, load it in a AutoIT debugger for further analysis as the myAut2Exe can’t load the fullscript of the decrypted code in its window. Syntax highlighting also the matter too.

.au3 script in AutoIT debugger, looks better huh :D

To debug it you can set breakpoint to the line that you want script to stop at. However, the downside of the debugger is that it only support step intodebug only, it would be time consuming if we want to debug a very long script.

To continue our analysis, we can debug it in the xdbg32 and set the breakpoint on any Windows API call that found in the script. In the AutoIt script, it can see that it keeps calling the functionCallWindowProc which is a trick to execute the embedding shellcode in Windows scripts. Therefore, these shellcode can be extracted for further static analysis.

Here is the simple POC of CallWindowProc to execute the shellcode.

Sha256:

adaffcb21f17057830ce8c60d1e852fe82035c153d6125aaed75a8b1d03e7518

References:

Typical memes addict🐒 GitHub: https://github.com/ghoulgy 🍕Support my work: https://www.buymeacoffee.com/GhoulSec