undefined | Better HN

0 pointsrevelation12y ago0 comments

The exe it downloads seems to be a compiled AutoIt3 script.

Here it is cleaned up: http://pastebin.com/raw.php?i=neP9qXGM

Seems like yet another dropper, not the actual bad thing.

0 comments

Apart from some basic functions like replication (including a message in facebook posts/messages, copying to accessible network drives and usbs), avoiding VMs, and setting itself to run on startup, it looks like most of the work is handed off to 2 payloads embedded in the compiled autoit file. There are also 2 other binaries mentioned (net2 and net4) but I'm not sure what the purpose is right now.

Payload 1: binary image that is in the shell() function.

Payload 2: between "\\carbons\\" and "//J_Y//" in original exe. It is encrypted with RC2, the password is in an INI which should be elsewhere in the exe - the script refers to @ScriptFullPath->"crypted"->"key" where crypted is the INI section name and key is the key name.

Both payloads are converted to DLL format in-memory, then Payload 1 is executed in the context of another window using CallWindowProcW, passing a pointer to Payload 2 to it.

Decompiled version of Payload 1 (embedded hex): http://pastebin.com/kxT9NskV

There is an area of null bytes at 0x1c...0x53. I deleted 1 byte, 0x00, from it so that the beginning 'call 0x54' lines up with an instruction. Not sure if that is correct.

If anyone gets a chance I'd appreciate a copy of the original AutoIt binary package (email in profile.)

upthedale12y ago

The mention of net2 and net4 sounds like the .Net runtime could be involved - the numbers referring to the version of the runtime. Quite the coincidence if not.

Perhaps a .Net decompiler could help. Reflector used to be the only good tool around, but since it became a paid tool, other free ones have sprung up. dotPeek is one (no idea how good it is).

j / k navigate · click thread line to collapse