Here are some tips to analyze the AutoIT malware.
So far, I have encounter these two types of AutoIT malware:
- PE embedded with AutoIT script that can be found in the resource section.
- AutoIT script loader (clean) and input file (malicious)
Analyzing tools for AutoIT:
1st type of AutoIt malware is pretty straight foward, just insert the PE file into Exe2Aut and you will get the AutotIT script in plain text that embed inside of it. It will generate a
.au3 file which can be open using AutoIT debugger for better analysis.
For 2nd type of AutoIt malware, it payload from a raw encrypted au3 files instead of embeded script in a PE file. You can find the au3 script magic
bytes AU!EA06(06 here is the subtype of the script), inside of its hex dump as shown in the picture below.
To anaylse it statically, we need another tool called myAut2Exe which can scan and decrypt the encrypted autoit payload according to its version. It has manual and automatic scan in the tab
Scan File for analyst to have some customize scan on the payload file.
After the scan, it will generate a
.au3 script which shows the full code of the payload in plain text. Then, load it in a AutoIT debugger for further analysis as the myAut2Exe can’t load the fullscript of the decrypted code in its window. Syntax highlighting also the matter too.
To debug it you can set breakpoint to the line that you want script to stop at. However, the downside of the debugger is that it only support
step intodebug only, it would be time consuming if we want to debug a very long script.
To continue our analysis, we can debug it in the xdbg32 and set the breakpoint on any Windows API call that found in the script. In the AutoIt script, it can see that it keeps calling the function
CallWindowProc which is a trick to execute the embedding shellcode in Windows scripts. Therefore, these shellcode can be extracted for further static analysis.
Here is the simple POC of
CallWindowProc to execute the shellcode.
Information Stealer Found Hitting Israeli Hospitals - TrendLabs Security Intelligence Blog
The abuse of shortcut (LNK) files is steadily gaining traction among cybercriminals. We've seen a plethora of threats…
AutoIt Malware: From Compiled Binary to Plain-Text Script
AutoIt is yet-another-development-language that malware authors leverage to create and obfuscate their malware. As a…
A Walk Through AutoIT Malware
In this post, we'll walk through the analysis of a piece of AutoIT malware. AutoIt is a scripting language and…