Here it is I show a sample that I've got from somebody who sent it to me. Most antivirus is already detected as W32/Almanahe.B. It seem this virus is still in the wild on some country. Ok, let focus on the topics. On this tutorial, let assume that you already have a sample of application or malware sample that compiled with AutoIt.
How do we know that it is an AutoIt file?
Its pretty simple to detect this kind of file. For me, just load up your sample with Notepad.exe. and search for 'AU3!EA' keyword. It will jump to the bottom of the file and there is some 'garbage' thing started with 'AU3!EA' character. And that was an encrypted AutoIt script that we want to decrypt. Lame way but fast to detect it.
The tools that we need for this dynamic analysis/reverse:
All you need to do, download the tools above. Run PEiD and load-up your AutoIt sample file into it. You will see something similar with the picture below:
I use the sample malware from the people sent it to me. The PEiD will look show you some basic information and said it was compiled with Microsoft Visual C++ 7.0.
Next, run your�myAutToExe.exe and drag and drop your sample AutoIt file into the top textbox. It will automatically start analyzing the file and extracting the script.
After the process it will look like this (picture above). All processing data will be saved as log, source code and resources file.
There it is, a sort file with the source code of the malware (or program). The source code file will be saved as .au3 extension file and can be viewed with any text editor. Starting from this point we can analize this piece of malware easily without needed to using complicated way (static analysis).
Here it is a screen shot of the source code that we already have. Seem like this people trying to expose itself by inserting their information into the source code. LoL.
Since this AutoIt script can be readable by any one, there is a few AutoIt script malware that I found that already obfuscated� to prevent analyzer from easily trace their code. I'll explain this type on next blogpost...