Original file
Unpacked version
UPX v3.0 marker
Entry point disassembly in Hiew
Entry point disassembly in IdaSo I ran the file on my sandbox machine and wait for some interesting behavior. But nothing happened. So I opened it again and started to trace. But hey, I forgot to check the strings that can lead me somewhere. I've browsed the binary under Hiew and started looking for some strings.
"AutoHotkey" stringsIndeed, there were some interesting strings (Assembly Manifest) inside the binary.
With that in mind, its most likely an autohotkey script that is converted into executable, just like autoit, remember? Hmmm...so I opened my browser and search for "autohotkey". Viola! From its website it says:
"Convert any script into an EXE file that can be run on computers that don't have AutoHotkey installed."
The EXE is actually a hyperlink to download its decompiler ahk2exe. Download it and you can revert back the exe to its original script format, that can be opened on any text viewer/editor to view the contents. The decompiled script is pretty much straightforward and it would make your life 10x faster to analyze the file.
Then thats game over!
Decompiled scriptConclusion: People can now easily create malware without learning ASM or C by just learning simple syntax from scripting languages like autohotkey then convert it into executable format.
Posts
No comments:
Post a Comment