Help understanding autohotkey virus Topic is solved

Get help with using AutoHotkey (v1.1 and older) and its commands and hotkeys
hatzilim

Help understanding autohotkey virus

28 May 2018, 11:33

I discovered that I was somehow infected with an autohotkey virus - I saw a strange folder in my dropbox and eventually tracked it back to my computer at home, where I found autohotkey running (and set to run at startup).
I think it came via an infected USB drive - there were shortcut links on the disk (in every folder), clicking on one of the links (which was named to be similar to a real file) installed the script + autohotkey. Later it did the same thing to every directory on multiple drives.

I think I have removed all traces, but I am interested to know what it was doing. The person who wrote it clearly did some obfuscating to the source code, so I haven't been able to work it out. Can anyone help me?
Was it connecting to some server? Which one?

Of course, don't run the script yourself! The entire code is below

Thanks,

Jason

Edit: Moderator edit to remove malicious code. A mirror of it can be found by Googling for the hash 5ae1c07477d7dc0d380c3bc3
User avatar
joedf
Posts: 8940
Joined: 29 Sep 2013, 17:08
Location: Canada
Contact:

Re: Help understanding autohotkey virus

28 May 2018, 14:22

Interesting.... it seems to be an obfuscated script. :think:
Do you know what it did?
Image Image Image Image Image
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
swagfag
Posts: 6222
Joined: 11 Jan 2017, 17:59

Re: Help understanding autohotkey virus

28 May 2018, 14:54

i can already foresee someone hitting that convenient download button and running the script, should prolly do smth about that
Guest

Re: Help understanding autohotkey virus

28 May 2018, 15:28

1 - Duplicate post: https://autohotkey.com/boards/viewtopic.php?f=5&t=49727
2 - edit the code to comment it all - add /* at the top of the script
3 - or move the code to pastebin or something - in sections
hatzilim
Posts: 2
Joined: 28 May 2018, 13:53

Re: Help understanding autohotkey virus

28 May 2018, 15:48

I don't know what it did, that is what I am looking for help with.

All I know is that it creating more .lnk files, which had a target:

C:\WINDOWS\system32\cmd.exe "/c start tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.exe tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.txt tat &exit"

the .exe is just a renamed autohotkey.exe, and the .txt is the file above



I'm assuming that these lines:

f#ffiiifk#.Open(ffkkfii@@ii@("474554"), k@k#kkf@@jj#haku . "/" . f@f@@jj#haku#k#f@f() , true)
f#ffiiifk#.Send()
f#ffiiifk#.WaitForResponse()

are sending something to a website, but no idea to what website or what it is sending
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: Help understanding autohotkey virus

28 May 2018, 15:53

run a debugger and monitor it, the same letters appear very often too. Wish I can help you more
Xatmo97
Posts: 15
Joined: 27 May 2014, 12:50

Re: Help understanding autohotkey virus  Topic is solved

28 May 2018, 17:00

It looks like its using what was called the dynamic obfuscator also in the code it seen the string downloading. eather it downloads the key the decode the script or the key may be contains somewere within the script itself.

whoever owns the dynamic obfuscator might be able to reverse the process but idk.
https://github.com/davidmalia/autohotkey-obfuscator

you could run a wireshark and see what ip address its connecting too also
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: Help understanding autohotkey virus

28 May 2018, 17:19

Xatmo97 wrote:It looks like its using what was called the dynamic obfuscator also in the code it seen the string downloading. eather it downloads the key the decode the script or the key may be contains somewere within the script itself.

whoever owns the dynamic obfuscator might be able to reverse the process but idk.
https://github.com/davidmalia/autohotkey-obfuscator

you could run a wireshark and see what ip address its connecting too also
good find! is there a program to reverse what it does?

https://github.com/davidmalia/autohotke ... scated.ahk
Guest

Re: Help understanding autohotkey virus

29 May 2018, 03:40

Here are all the variables decoded (took only a minute) I disabled the URLs but these are the strings, seems to be a crypto miner... tries to disable some windows security settings as well it seems.
Sad.
25434F4D50555445524E414D4525 : %COMPUTERNAME%
25555345524E414D4525 : %USERNAME%
283F503C4E616D653E2E2A3F29 : (?P<Name>.*?)
2D646F776E6C6F6164 : -download
2D736372697074 : -script
2D736C656570 : -sleep
2D757064617465 : -update
2E657865 : .exe
2E65786520433A5C : .exe C:\
2E747874 : .txt
2F312F : /1/
3A213A : :!:
3A3A283F503C4E616D653E2E2A3F293A3A : ::(?P<Name>.*?)::
4142434445464748494A4B4C4D4E4F505152535455565758595A6162636465666768696A6B6C6D6E6F707172737475767778797A30313233343536373839 : ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
416E7469566972757350726F64756374 : AntiVirusProduct
433A : C:
433A5C : C:\
4552524F52 : ERROR
474554 : GET
484B4355 : HKCU
5245475F535A : REG_SZ
536372697074696E672E46696C6553797374656D4F626A656374 : Scripting.FileSystemObject
53656C656374202A2066726F6D2057696E33325F50726F63657373 : Select * from Win32_Process
536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E : Software\Microsoft\Windows\CurrentVersion\Run
556E6B6E6F776E : Unknown
575363726970742E5368656C6C : WScript.Shell
57696E33325F4F7065726174696E6753797374656D : Win32_OperatingSystem
57696E487474702E57696E48747470526571756573742E352E31 : WinHttp.WinHttpRequest.5.1
5C : \
5C2452454359434C452E42494E : \$RECYCLE.BIN
61 : a
6123 : a#
6140 : a@
62 : b
6223 : b#
6240 : b@
63 : c
6323 : c#
6340 : c@
6363 : cc
636D642E657865 : cmd.exe
636F756C646E7420636F6E6E65637420746F20 : couldnt connect to
636F756C646E742066696E6420636F6D6D616E6420696E20 : couldnt find command in
637075636865636B65722E657865 : cpuchecker.exe
637075636865636B657233322E657865 : cpuchecker32.exe
64 : d
6423 : d#
6440 : d@
6464 : dd
646F776E6C6F61642D : download-
646F776E6C6F6164696E672075706461746520 : downloading update
65 : e
6523 : e#
6540 : e@
6565 : ee
66 : f
6623 : f#
6640 : f@
6666 : ff
67 : g
6723 : g#
6740 : g@
67657420636F6D6D616E64 : get command
6767 : gg
68 : h
6823 : h#
6840 : h@
6868 : hh
687474703A2F2F6E6577616C7068612E616C7068616E6F6F622E636F6D3A39383938 : http:// newalpha.alphanoob.c*m:9898
687474703A2F2F6E6577616C7068612E616C7068616E6F6F622E636F6D3A39393939 : http:// newalpha.alphanoob.c*m:9999
687474703A2F2F6E6577616C7068612E73757065722D67616D657A65722E636F6D3A39333333 : http:// newalpha. super-gamezer.c*m:9333
687474703A2F2F6E6F6F626D696E65722E7075626C6963766D2E636F6D3A39383938 : http:// noobminer .publicvm. c*m:9898
687474703A2F2F7375706572616C7068612E6E65776D696E6572736167652E636F6D3A33333333 : http:// superalpha. newminersage.c*m:3333
687474703A2F2F7375706572616C7068612E7261646E65776167652E636F6D3A39383938 : http:// superalpha. radnewage. c*m:9898
69 : i
6923 : i#
6940 : i@
6969 : ii
6A : j
6A23 : j#
6A40 : j@
6A6A : jj
6B : k
6B23 : k#
6B40 : k@
6B6B : kk
6C : l
6C23 : l#
6C40 : l@
6C697665776F726B65722E657865 : liveworker.exe
6C6C : ll
6D : m
6D23 : m#
6D40 : m@
6D6D : mm
6E : n
6E23 : n#
6E40 : n@
6E6E : nn
6E6F76612E657865 : nova.exe
6F : o
6F23 : o#
6F40 : o@
6F6F : oo
70 : p
7023 : p#
7040 : p@
7070 : pp
71 : q
7123 : q#
7140 : q@
7171 : qq
72 : r
7223 : r#
7240 : r@
726164 : rad
7272 : rr
73 : s
7323 : s#
7340 : s@
7363687461736B73202F637265617465202F7363206D696E757465202F6D6F2031202F746E : schtasks /create /sc minute /mo 1 /tn
7363687461736B732E657865 : schtasks.exe
7363726970742D : script-
736C6565702D : sleep-
736C656570696E6720 : sleeping
737065656475702E657865 : speedup.exe
7373 : ss
73747265616D65722E657865 : streamer.exe
7375706572636865636B65722E657865 : superchecker.exe
73797374656D666978 : systemfix
74 : t
7423 : t#
7440 : t@
7474 : tt
75 : u
7523 : u#
7540 : u@
7570646174652D : update-
75706461746573656C662D : updateself-
7575 : uu
76 : v
7623 : v#
7640 : v@
7676 : vv
77 : w
7723 : w#
7740 : w@
77696E6D676D74733A : winmgmts:
77696E6D676D74733A5C5C : winmgmts:\\
77696E6D676D74733A5C5C6C6F63616C686F73745C726F6F745C736563757269747963656E74657232 : winmgmts:\\localhost\root\securitycenter2
7777 : ww
78 : x
7823 : x#
7840 : x@
7878 : xx
787878 : xxx
79 : y
7923 : y#
7940 : y@
7979 : yy
7A : z
7A23 : z#
7A40 : z@
7A7A : zz
Guest

Re: Help understanding autohotkey virus

29 May 2018, 06:42

To moderators: if you approve the decoded strings post "above" - you can delete the script code from the forum, no need to help other bad people by keeping the code on the forum.
geek
Posts: 1052
Joined: 02 Oct 2013, 22:13
Location: GeekDude
Contact:

Re: Help understanding autohotkey virus

29 May 2018, 09:01

I wrote a script to deobfuscate the malware, though I won't share it here.

It's a neat piece of software though the code is pretty sloppy. It's definitely designed for a bitcoin mining botnet. However, it could be updated to do something else in the future.

Some of the things it does:
  • Registers a scheduled task to re-launch the script every minute
  • Installs a registry key to launch the script on startup
  • Fingerprints the machine using the boot drive's serial code, the operating system version number A_OSVersion, and the OS version string (e.g. "Windows 7 Home Premium")
  • Collects usage analytics, reporting things such as OS version, AntiVirus version, and whether the payload(s) were able to be run successfully
  • It has automatic updates
  • It scans the system for external drives to propagate to, like a worm
  • To some extent, it randomizes the script obfuscation on start
As for what domains it connects to, those are here:

Image

Edited to add: These are probably the processes you should be looking out for; they seem to be the actual payload of the script.

Image
Whitehat

Re: Help understanding autohotkey virus

29 May 2018, 14:13

Ive already reported those urls the the host of them so that they may take them down.
AHKStudent
Posts: 1472
Joined: 05 May 2018, 12:23

Re: Help understanding autohotkey virus

29 May 2018, 15:49

GeekDude wrote:I wrote a script to deobfuscate the malware, though I won't share it here.

It's a neat piece of software though the code is pretty sloppy. It's definitely designed for a bitcoin mining botnet. However, it could be updated to do something else in the future.

Some of the things it does:
  • Registers a scheduled task to re-launch the script every minute
  • Installs a registry key to launch the script on startup
  • Fingerprints the machine using the boot drive's serial code, the operating system version number A_OSVersion, and the OS version string (e.g. "Windows 7 Home Premium")
  • Collects usage analytics, reporting things such as OS version, AntiVirus version, and whether the payload(s) were able to be run successfully
  • It has automatic updates
  • It scans the system for external drives to propagate to, like a worm
  • To some extent, it randomizes the script obfuscation on start
As for what domains it connects to, those are here:

Image

Edited to add: These are probably the processes you should be looking out for; they seem to be the actual payload of the script.

Image
will you share it on your github?
hatzilim
Posts: 2
Joined: 28 May 2018, 13:53

Re: Help understanding autohotkey virus

29 May 2018, 16:07

Thanks for all your help with the decoding, I appreciate it.

I don't see any of those processes running (nor autohotkey by itself) so hopefully, it is gone!
geek
Posts: 1052
Joined: 02 Oct 2013, 22:13
Location: GeekDude
Contact:

Re: Help understanding autohotkey virus

29 May 2018, 18:12

If anyone wants a copy of the script I wrote to help decode the malware, send me a private message or contact me on IRC/Discord (see the link in my signature). It's pretty specific to that exact script, and wouldn't be of too much use for decoding other scripts.

Return to “Ask for Help (v1)”

Who is online

Users browsing this forum: No registered users and 189 guests