11/2/2022 0 Comments Decompiling an autoit exe![]()
Additionally, it sets up persistence in “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run” as “srvmcc.exe”. The sample leverages AutoIT GUI API (with hidden Tray Icon) and installs as “srvsml.exe” in “%APPDATA%\Microsoft\Network\SupportAssistanse”. #Decompiling an autoit exe code#The sample timestamp shows compilation timestamp of Monday, January 25, 06:27:36 2016 UTC with the version language code set to English, Great Britain. Open the binary in Process Hacker and save the RCData ‘SCRIPT’ AU3 resource as binary and rename ending in. A similar method is referenced by here.ġ. au3 scripts to the executable on a 32-bit machine, and then extracting them back via Exe2Au toolset. ![]() Routinely, simple Exe2Au worked to retrieve the 32-bit version extracted AutoIt scripts, while the 64-bit required a small trick of recovering payloads via ResourceHacker (since Exe2Au does not support 64-bit versions), compiling them as. One way you can tell if it is an AutoIt-compiled malware is through examining the resource section “RCData” for “SCRIPT” namespace with AU3 header. One of the possible interesting challenges includes the decompilation of 圆4-bit compiled AutoIT samples. I have uploaded the decoded APT28 AutoIt scripts along with the MISP JSON and CSV indicators of compromise (IOC) extractions for further analysis and mitigation on GitHub at k-vitali/apt28_zebrocy_autoit_resource. Standard Application Layer Protocol - T1071 Exfiltration Over Command and Control Channel - T1041 #Decompiling an autoit exe windows#Windows Management Instrumentation - T1047 ![]() Registry Run Keys / Start Folder - T1060 The malware servers appear to be have been located at the following Autonomous System Number (ASN): #Decompiling an autoit exe update#Update (): The newly observed Zebrocy AutoIt sample contained the timestamp compilation date of Wednesday, January 16 06:10:59 2019 UTC introducing a Windows Management Instrumentation (WMI) host profiling method along with the odd name of execution function name of “crocodile().” Most importantly, the newer sample introduced the Base64-based encoding with the padded “F” (until 5) on the reverse length of Base64 data blob and appended to the “img=” URI with the HTTPS server communication. #Decompiling an autoit exe software#One of the earlier downloader malware oddities includes a check for the software titled “Lamer.exe” as well with the VirtualBox related processes (“vmacthlp.exe”, “vmtoolsd.exe”, “vmusrvc.exe”), parallel desktop software processes (“prl_cc.exe”, “prl_tools.exe”, “SharedIntApp.exe”). Notably, on one occasion, the developer referenced the Microsoft Word document icon path from the machine as “C:\works\old_progs\download\icons\DOC.ico.” The malware downloaders’ version information includes the English-language locale and LCID code of “2057”, which is a code page for English, Great Britain language code. In the later versions of this malware, the developer(s) also decided to obfuscate this string with hex-encoding presumably to avoid static detection on hidden Window AutoIt scripts. #Decompiling an autoit exe pdf#The downloaders simply create a fake GUI application mimicking Microsoft Word or PDF application with the fake message indicating password-protected documents to make Autoit icon is not visible with the (“TrayIconHide”, 1) argument. ![]() The reviewed older samples were compiled with Autoit for the 32-bit version, while the more recent ones were for the 64-bit one. Malware analysis reveals the later usage of the hex-encoding functions to obfuscate certain strings within the APT28 malware.ĪPT28 Autoit downloaders rely on WinHTTP DLL library for clientserver communications. The Zebrocy/Zepakab Autoit downloader implants are simple and reminiscent of the other version coded in Golang, C , and Delphi. The malware downloaders are simple AutoIt compiled scripts with the added icons and are occasionally packed with UPX. APT28 is also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit. ![]() Here, I decided to recover and dissect its AutoIt scripts from its executable. The APT28 group continues to be developing and leveraging Zebrocy/Zepakab downloader implants. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled) "parsestring()" and "parsefile()" FunctionsĮ. Zebrocy/Zepakab Downloader Implant (32-Bit 圆4 Compiled)ġ. Zebrocy/Zepakab Downloader Implant (32-Bit 圆4 Compiled)ĭ. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)Ĭ. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)ī. APT28 Zebrocy/Zepakab AutoIt Script ExtractionĪ. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |