From AutoIT to MassLogger

What is AutoIT?

Quoting AutoIT web site

VirusTotal detection result
  • auokpnflym.exe the embedded AutoIT interpreter
  • kypipza.lv the AutoIT script passed as parameter to the interpreter
  • nsiowtaau.aq a binary file containing random data (more later on)
Detect It Easy

Deobfuscating the AutoIT script

As expected, the AutoIT script is obfuscated. The one and only obfuscation method used, is an integer-to-char conversion based on subtraction of values.

Cleaned up AutoIT script

Shellcode Analysis

The shellcode is pretty straight forward to be analyzed. It uses regular dynamic API resolution as well as dynamic PE loading. However, the most important functionality is the decryption of the nsiowtaau.aq. The shellcode tries to open and read the file (passed as an argument) which in our case is nsiowtaau.aq.

Decompiled main shellcode body
Decryption function password
Decryption function

Actual malware

In order to decrypt the malware and being lazy enough to reimplement the decryption algorithm, the dynamic analysis approach was chosen. The shellcode was converted to PE with the use of Yasm (more info here). Having a runnable executable, the shellcode could dynamically be debugged. With a few tricks in order to specify the path of nsiowtaau.aq the file was decrypted and we got a new PE executable.

WinMain of decrypted executable
Executable in the resources

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store