- #Decompiling an autoit exe install#
- #Decompiling an autoit exe software#
- #Decompiling an autoit exe code#
BLADABINDI’s backdoor capabilities are shown in Figure 7, which includes keylogging, retrieving and executing files, and stealing credentials from web browsers.įigure 6: Code snapshots showing the configurations of the BLADABINDI variant (top) and how it creates a firewall policy to add PowerShell to the list of programs allowed to run (bottom)įigure 7: The backdoor capabilities of the BLADABINDI variant When the backdoor runs, it creates a firewall policy that adds PowerShell’s process to the list of allowed programs in the system. However, since the value was set to null, all stolen information will be sent to the same C&C server. It uses the value tcpClient_0 as its HTTP server, where it will receive all stolen information from the infected machine. It uses the string 5cd8f17f4086744065eb0992a09e05a2 as its mutex as well as its registry hive in the affected machine. This could potentially allow the attackers to hide the server’s actual IP address or change/update it as necessary.Īll files downloaded from C&C server are stored in the %TEMP% folder as Trojan.exe. As with other and previous iterations of BLADABINDI, this fileless version’s C&C-related URL uses dynamic domain name system (DNS). The variant of the BLADABINDI backdoor uses water-boomduckdnsorg as its command-and-control (C&C) server, on port 1177.
#Decompiling an autoit exe software#
NET-compiled, which uses a commercial code protector software for obfuscation.įigure 5: Screenshots showing PowerShell loading the encoded executable Since the executable is loaded directly from the registry to the memory of PowerShell, we were able to dump the specific address where the malicious executable is located. It will use an auto-run registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run) named AdobeMX that will execute PowerShell to load the encoded executable via reflective loading (loading an executable from memory rather than from the system’s disks). It will also create another value for persistence. Decompiling it reveals that it contains a base-64 encoded executable, which it will write in a registry value named Valuex in the registry HKEY_CURRENT_USER\Software. The dropped Tr.exe is actually another AutoIt-compiled executable script ().
It will also drop a shortcut file (.LNK) and move all original files of the removable drive from its root to a created folder named sss.įigure 2: Code snapshot showing the decompiled scriptįigure 3: Code snapshot showing how the AutoIt’s FileInstall command is used to bundle an AutoIt script with any file then load the file during the script’s executionįigure 4: Code snapshots showing how the shortcut is added (top) and how it propagates through removable drives (bottom) For persistence, it adds a shortcut for the file at the %STARTUP% directory.įor propagation, it installs a hidden copy of itself on any removable drive found on the infected system. It will also drop a copy of itself in the same directory. The dropped file is executed after terminating any process with the same name.
#Decompiling an autoit exe install#
We used an AutoIt script decompiler to break down the executable’s AutoIt script and found that the script’s main function first deletes any file named Tr.exe from the system’s %TEMP% directory so it can install its own version of Tr.exe on it. It uses AutoIt (the FileInstall command) to compile the payload and the main script into a single executable, which can make the payload - the backdoor - difficult to detect.įigure 1: Screenshot showing a common indicator of a compiled AutoIt script (highlighted) Apart from being a flexible and easy-to-use scripting language, BLADABINDI’s use of AutoIt is notable. While it is still unknown how the malicious file actually arrives in the infected system, its propagation routine suggests that it enters systems through removable drives. Case in point: Last week, we came across a worm (detected by Trend Micro as ) that propagates through removable drives and installs a fileless version of the BLADABINDI backdoor. Indeed, BLADABINDI’s customizability and seeming availability in the underground make it a prevalent threat. BLADABINDI, also known as njRAT/Njw0rm, is a remote access tool (RAT) with a myriad of backdoor capabilities - from keylogging to carrying out distributed denial of service (DDoS) - and has been rehashed and reused in various cyberespionage campaigns since it first emerged.
0 kommentar(er)
