LetsDefend— Malicious AutoIT Challenge Walkthrough
A malicious script analysis challenge using Detect It Easy, AutoIt-Ripper, and Notepad++
Introduction:
Welcome to my weekly walkthrough! If you’ve stumbled across this blog searching for a comprehensive walkthrough of the Malicious AutoIT challenge from LetsDefend, you’re in the right place.
In this scenario, the SOC has detected malicious activity on an endpoint stemming from a suspicious executable. Our objective is to analyze the suspicious file, extract the script, and determine what it does.
To do this, we’re going to leverage several tools including Detect It Easy, a “powerful tool for file type identification,” AutoIt Ripper to extract the script contents, and trusty Notepad++ for viewing the script contents.
While this challenge is geared toward beginners, there are excellent learning opportunities for all skill levels, especially if you aren’t familiar with AutoIt. Sounds like fun, right? Let’s get into it!
And hey, if you find this walkthrough helpful — whether it levels-up your skills, gets you through a stumbling block, or serves as a handy reference — please give it a clap!
Thanks for reading and going on this investigation with me!
Challenge Link: https://app.letsdefend.io/challenge/malicious-autoit
Challenge Scenario:
Our organization’s Security Operations Center (SOC) has detected suspicious activity related to an AutoIt script. Can you analyze this exe and help us answer the following questions?
Question 1: What is the MD5 hash of the sample file?
Okay, let’s kick off our investigation by extracting the sample.7z archive from the ChallengeFile folder. This will leave us with the sample we need to analyze.
Since we don’t have any information about this file or even what it is, we need to do some sleuthing. A great starting point is to use Detect It Easy (DIE) to identify the file and perform some cursory analysis. Fortunately for us, this tool is already installed on the LetsDefend analysis environment in the Tools folder. Let’s go ahead and open it, then point it to the mysterious sample file.
Once DIE is loaded and has parsed the sample, we can start to gather some information about the file. Notice something interesting in the PE32 info window: it shows that this executable is a compiled AutoIt(3.XX) script.
Let’s get some background on AutoIt. According to the project’s website:
AutoIt v3 is a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting. It uses a combination of simulated keystrokes, mouse movement and window/control manipulation in order to automate tasks in a way not possible or reliable with other languages (e.g. VBScript and SendKeys).
and
Scripts can be compiled into standalone executables
Cool! That sounds extremely useful to a system administrator, but it might also be useful for a bad actor. We can confirm this by taking a look at the MITRE ATT&CK knowledge base, where we’ll find that abusing AutoIt scripts is a known adversary technique (T1059.010).
But let’s not get too far ahead of ourselves just yet. To answer Question 1, we first need to collect the MD5 hash of the sample file. We can find this in DIE by pressing File Info, then selecting Hash under the Method drop-down menu.
The MD5 value is all we’ll need to answer Question 1.
Question 2: According to the Detect It Easy (DIE) tool, what is the entropy of the sample file?
We can find the answer to Question 2 with a simple click of the Method drop-down menu again and selecting Entropy:
In malware analysis, entropy measures the randomness within data, with higher values indicating potential obfuscation techniques like encryption or compression, often used by malware to evade detection. For example, the value of the sample we’re analyzing is on the higher side which raises suspicion.
Question 3: According to the Detect It Easy(DIE) tool, what is the virtual address of the “.text” section?
To answer Question 3, navigate back to the main Detect It Easy window and click the ‘>’ to the right of the “Sections” area. This will open up the PE window for a deeper analysis.
Once the window is open, you’ll see a list of sections including the one we are looking for, named .text. The “VirtualAddress” value is what we’re after.
Notice that the question specifies the answer format as 0x0000. This doesn’t match what we are seeing in DIE. No problem! The question is looking for the hexadecimal notation, so we just need to perform a simple conversion. Strip off the leading zeroes used for padding (it doesn’t change the value) and then add the “0x,” prefix to indicate that the number is in the hex format. For example, 00001000 becomes 0x1000 .
Question 4: According to the Detect Easy tool, what is the “time date stamp”?
Question 4 is an easy one. Navigate back to the main Detect It Easy window and we’ll find the information readily available.
Question 5: According to the Detect It Easy (DIE) tool, what is the entry point address of the executable?
Still working within the main Detect it Easy window, look for the Entry point field. Follow the same process that we used in Question 3 to convert the address to the requested format.
Question 6: What is the domain used by the malicious embedded code?
To tackle Question 6, we’re going to need to get creative. Remember back in Question 1 that we learned that AutoIt scripts can be compiled as executables? What if we could extract the AutoIt scripts out of the binary for analysis?
Luckily, there is a tool to do exactly this, and it’s already installed in the LetsDefend analysis environment: AutoIt-Ripper. According to the project’s GitHub, the utility is “a short python script that allows for extraction of ‘compiled’ AutoIt scripts from PE executables,” so we can dissect the resulting .au3 script file.
Referencing the AutoIt-Ripper documentation, we can run the tool from PowerShell with the following syntax:
autoit-ripper sample.exe out_directoryFor example, here is the command I used to extract the script from the sample binary and output to a folder called “ripped”.
autoit-ripper C:\Users\LetsDefend\Desktop\ChallengeFile\sample C:\Users\LetsDefend\Desktop\ChallengeFile\ripped
Then, we’ll take the output file, script.au3 , and open in a text editor like Notepad++ to view the contents. It may look a little overwhelming at first, but let’s scroll through the script, performing a cursory glance for anything that looks like a URL.
Before long, we’ll stumble on line 39 where we see a reference to the InetRead function used to download files from the internet, pointing to a URL containing the domain we’re searching for.
Question 7: What is the file path encoded in hexadecimal in the malicious code?
Continuing to search the script, we’re looking for a hexadecimal number. Remember, we can identify a hexadecimal number by searching for the prefix 0x, the same method we used to format the answers in Questions 3 & 5. We’ll find the answer on line 46.
To figure out the file path, we need to make it readable. We can do this easily by using a tool like CyberChef. Simply add the From Hex operation to the Recipe and paste the value we discovered in the script. This will reveal the file path needed to answer the question.
Question 8: What is the name of the DLL called by the malicious code?
We’ve made it to the last question! Within the script, we see several references to DLLs, but the DllCall function seems to be the most relevant. On line 53, we can see this function being used to call user32.dll .
Conclusion:
There we have it! By using Detect It Easy, we were able to analyze the sample file and determine that it is a compiled AutoIt script. Then, using AutoIt-Ripper, we extracted the script to learn more about its capabilities. With our objectives completed, let’s wrap this investigation!
A big thank you to LetsDefend, for the interesting lab scenario. I selected this one because I was not familiar with AutoIt and its capabilities, but I have seen it mentioned as a potential attack vector recently. It was really fascinating to see how these scripts can be compiled as executables and extremely valuable to learn that the contents can be extracted for analysis. This will be a handy tool for the kit if I encounter this again in the real world.
Thanks for the support and going through this investigation with me. Remember, if you found this walkthrough helpful don’t forget to give it a clap! Your feedback really is invaluable and helps fuel my commitment to support your journey in the security community. Cybersecurity is a team sport and we’re in this together!
Until next week’s challenge — stay curious and be safe out there!
Tools & References:
AutoIT: https://www.autoitscript.com/site/autoit/
Detect-It-Easy: https://github.com/horsicq/Detect-It-Easy
MITRE ATT&CK — Command and Scripting Interpreter: AutoHotKey & AutoIT (T1059.010): https://attack.mitre.org/techniques/T1059/010/
AutoIT Ripper: https://github.com/nazywam/AutoIt-Ripper
Notepad++: https://notepad-plus-plus.org/
VirusTotal: https://www.virustotal.com/
CyberChef: https://gchq.github.io/CyberChef/
