How to de-obfuscate a huge AutoIT script in less than two minutes
March 11, 2020
Imagine this scenario: you’re researching a malware sample which starts its execution with unpacking the archive (usually RAR or ZIP one) which came with a suspicious email and launching an AutoIT script stored inside the archive. You start analyzing this script and get stuck: its size is more than 150MB! What do you do?
Clearly, you need to de-obfuscate the script. We’ll show you how to do it in less than 2 minutes.
The following tools are required:
- AutoIT installer
- AutoIT decompiler
The decompiler can process executables which have an embedded AutoIT script inside. But it can’t do anything with external scripts.
To use a decompiler, a standalone AutoIT script has to be embedded inside the executable so the decompiler can be further applied. To do so, let us use the Aut2Exe Converter:
After the conversion is complete, there is a fully working executable which is approximately 155 times smaller than the original obfuscated one:
Instead of writing scripts to manually de-obfuscate the script, let the converter do the entire job and produce clear byte-code in the output.
The next step is to put the executable inside the decompiler and get the clear-text script:
The script file without all the junk is approximately 2800 times smaller than its obfuscated counterpart:
Now the script can be analyzed further.
POPULAR POSTS
- Check Point Research Publications
- How To Guides
- Check Point Research Publications
- How To Guides
- Ransomware
BLOGS AND PUBLICATIONS
- How To Guides
August 23, 2018