Defeating .au3 obfusticated Malware.

Hey guys,

This is going to be my first blog post ever.. So wish me luck.

Today I am going to show you a quick way to decompile/deobfuscate some malware that uses AutoIT obfuscation(.AU3).

Recently I've seen more and more malware using this kind of trick to obfuscate there malware so it's harder for a reverse-engineer to read and figure out what's happening. This method has also been referenced by @VK_Intel and @hexacorn.

The two samples will be looking at are APT28 Zebrocy/Zepakab downloader Implant (32-Bit x86 Compiled) and also show a Qulab Stealer malware that use's the same technique.

Hashes:
d6751b148461e0f863548be84020b879  - APT28 Zebrocy/Zepakab Downloader
a915fc346ed7e984e794aa9e0d497137 - Qulab Stealer 

What you'll need:
- Exeinfo PE
- .AU3 Obfuscated malware sample
- Resource Hacker
- Aut2Exe v3 Converter
- Exe2Aut Decompiler


1. First we start off by confirming that our piece of malware uses this .AU3 obfuscator technique via Exeinfo PE.

As we can see it use's AutoIT v3.3.12.0 - v3.3.14.2 So this confirms that it's using AutoIT obfuscator.

2. Next we will open up the sample in Resource hacker and take a look at what we have.


When we open the sample up and go to the tab "RCData" and click on "SCRIPT : 0"we will be shown a hex view with some strings on the side. From this we can also see a stub on the second line "AU3!" This also confirms that it is for sure using AutoIT obfuscator. So now it's time to use the trick and get this decompiled.

3. Right click the "SCRIPT : 0" and click on "Save Resource to BIN file..." A save prompt will come up and you can save whatever file name you want, but make sure you add .AU3 at the end to the output file as shown below.



4. Once you have saved the .AU3 file to the location of your choice it's time we convert the file using Aut2Exe v3 converter. It's as simple as loading that new .AU3 script we just made into the Aut2Exe converter and uncheck "Compile for system x64". A(As Exe2Aut later on will NOT decompile the file unless it's a 32BIT file format)


Once you hit "Convert" it will output the new SCRIPT.exe file that we can now use to decompile using Exe2Aut.

5. You can open Exe2Aut Decompiler and go ahead and drag and drop that new "SCRIPT.exe" and it should decompile the program and view it's content.


Using this method we can now find out where it's calling out to and view it's decompiled code.

That's It! I have tested this method with other types of .AU3 malware including this new Qulab Stealer malware(Example Below) and works great!

Now onto the Qulab Stealer.
When I first got the sample a few weeks back I tried to decompile it right away using Exe2Aut but the malware dev knew that people may try to do this.. and created a not so nice message for anyone trying to decompile the malware. 
Which also crashed the program...

But after using the same trick/method above I was able to convert the malware and run it in the decompiler perfectly.


Thanks everyone for reading I hope this helped. I also look forward to writing more blog posts in the future dealing with malware and other things.

*Samples used in this post can be found on my sample library server.*

Please checkout my good friend @VK_Intel on twitter and his blog that features great malware reverse-engineering techniques and information on new malware targeting.
Twitter: https://twitter.com/VK_Intel
Blog: https://www.vkremez.com/

@hexacorn also made a similar reference to this via:  http://www.hexacorn.com/blog/2015/01/08/decompiling-compiled-autoit-scripts-64-bit-take-two/


Follow me on Twitter: https://www.twitter.com/0xffff0800
Malware Sample Library(Tor Required): http://iec56w4ibovnb4wc.onion
Visit my domain: http://0xffff0800.ru
Jabber: 0xffff0800@jabber.ccc.de
Questions? Contact me: 0xffff0800@protonmail.com

Popular Posts