Autoit is one of the Compiler that was really abused by malware because of its flexibility, easy to obfuscate like a other scripting language and decompression of autoit compile file is quite expensive for some AV product. And I found one malware sample of "FORMBOOK" that use this compilation. I will show in this post some of the technique it use to bypassed UAC, anti-VM, obfuscation and etc.
so Lets start :)
FORMBOOK Code Obfuscation:
Upon extracting the AUTOIT script of this malware, you can see right away that its code is obfuscated and some of it are encoded.
 |
| figure 1: formbook autoit script |
Decoding Process:
There are 2 function that are responsible for decoding the encoded string these are the "FUNC VXAUWUFVKBKH" and "FUNC MIBYZTSVUFNMTML". The "FUNC VXAUWUFVKBKH" is only reversing the inputted string to it.
 |
| figure 2: function for reversing the string |
The other function will initialized a STANDARD_ALPHANUM_TABLE then it will split those comma separated string that will serve as the index to the ALPHANUM_TABLE to decode the actual string.
 |
| figure 3: decoder function |
I convert these 2 function in python to decode the whole string within this autoit script file for much easier static analysis.
 |
| figure 4: part of my python script to decode the string |
below is the decoded string output of my python script. out of this, maybe you noticed that some of the variables has no other reference and never been used in other part of the code, just because they are the garbage code that add more obfuscation to its code and make the code analysis more confusing.
 |
| figure 5: decoded formbook autoit script |
Anti-VM:
Actually I also tried to run this malware in a blackbox testing but it didn't do nothing, the same thing in app.any.run site. After deobfuscate the string I found out that it checks some process artifacts related to vmware and virtualbox. If found close the process.
 |
| figure 6: anti-vm technique |
Bypassing UAC :
In previous variant of Formbook it tries to disable LUA , DisableRegistryTool and more. In this variant it tries to disable the UAC of the infected machine. It start by checking the OS version to choose what type of Bypassing technique it will use. If the OS version is 7 or 8 it will use the EventVwr to bypassed the UAC if Win10 it will use FodHelper.
 |
| figure 7: OS version |
 |
| figure 8: bypassing UAC using Eventvwr |
 |
| figure 9: bypassing UAC using FodHelper |
RUNPE:
it also run a function called "runpe", that has a parameter which is list of rsrc name that contain some encrypted data. it will also generate a shellcode to execute further of its malicious intent.
 |
| figure 10: runpe function |
 |
| figure 11: python script to generate the shellcode |
 |
| figure 12: sample code of the shellcode (Mutex) |
Conclusion:
In this analysis I realize that digging more to known and prevalent malware will help us to learn new stuff, how it tries to bypass security policy and gaining admin privileges.
IOC:
Sha1: 3a7fbe4c15ba812b5bab2b9f1d9a5dc247668e77
md5: 20de5694d7afa40cf8f0c88c86d22b1d
Sha256: 12b2ba18d1b67dced8685acb7793b5208d00b0fcd80e87573deb569907295a03
