Today I Learned - Instrument ClamAV to extract AutoIT scripts
Table of Contents
Introduction
A customer contacted us because they intend to use SimpleLAPS-GUI in their company. However, multiple AV vendors flag the precompiled binary (SimpleLapsGui.exe) as malicious (see here). According to the FAQ on the GitHub repository from SimpleLAPS-GUI:
Does the exe version contains viruses? It is reported on “virustotal.com”.
No it doesn’t. This happens because of the AutoIT v3 executable used as wrapper. You can download the PowerShell version instead. (Please note that the PowerShell script doesn’t hide its window.)
Let’s analyze the binary and extract the AutoIT script 🤓
AutoIT malware is not a new topic (see here for a recent report from the Splunk team). Multiple tools and scripts exist to extract the AutoIT script from a binary to analyze the script’s functionality. One of the more prominent examples of these tools is the Universal AutoIT Extractor and De-obfuscator, which worked fine in this case.
ClamAV
However, we can use ClamAV to extract AutoIT scripts from binaries! ClamAV creates temporary directories during the scanning phase of binaries, saving extracted files and scripts to disk for further analysis (i.e. scanning). With the parameter –leave-temps we instruct ClamAV not to clean up these temporary directories and files, and with the parameter –tempdir we tell ClamAV where to put the temporary files. Here is an example:
# clamscan --leave-temps --tempdir=/tmp/autoit
/tmp/LICENSE.md: OK
/tmp/SimpleLapsGui_v1.2_Exe.zip: OK
/tmp/SimpleLapsGui.exe: OK
----------- SCAN SUMMARY -----------
Known viruses: 8692897
Engine version: 0.103.11
Scanned directories: 1
Scanned files: 3
Infected files: 0
Data scanned: 2.04 MB
Data read: 1.56 MB (ratio 1.30:1)
Time: 33.115 sec (0 m 33 s)
Start Date: 2024:05:17 07:42:17
End Date: 2024:05:17 07:42:50
ClamAV created several files and directories in the specified location (/tmp/autoit). Following the truncated output of the generated files and folders:
/tmp/autoit# find .
[..]
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383/clamav-beeb477348c97d379a9cb983dc1cf806.tmp
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383/clamav-beeb477348c97d379a9cb983dc1cf806.tmp/clamav-b53438838cef1b5616e57c4281346137.tmp
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383/autoit-tmp.8b4b7a9f25
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383/autoit-tmp.8b4b7a9f25/autoit.001
./20240517_074247-SimpleLapsGui_v1.2_Exe.zip.44cd5fb673/SimpleLapsGui_v1.2_Exe.zip.caf53cab24/SimpleLapsGui.exe.69065ed383/autoit-tmp.8b4b7a9f25/autoit.002
[..]
The files autoit.001 and autoit.002 looks promising. autoit.002 is the same PowerShell script as hosted on GitHub (same hash). autoit.001 is the actual AutoIT script. Following the beginning of the file, which ClamAV extracted:
# head autoit.001
##NoTrayIcon
##Region
##AutoIt3Wrapper_Icon=..\images\appIcon.ico
##AutoIt3Wrapper_Outfile_x64=..\Release\SimpleLapsGui.exe
##AutoIt3Wrapper_UseX64=y
##AutoIt3Wrapper_Res_Description=Simple gui script for LAPS.
##AutoIt3Wrapper_Res_Fileversion=1.2
##AutoIt3Wrapper_Res_ProductName=Simple LAPS GUI
##AutoIt3Wrapper_Res_ProductVersion=1.2
##AutoIt3Wrapper_Res_CompanyName=htcfreek (Heiko Horwedel)
And here is the end of the file:
# tail autoit.001
$STEMPNAME &= CHR ( RANDOM ( 0x00000061 , 0x0000007a , 0x00000001 ) )
WEND
$STEMPNAME = $SDIRECTORYNAME & "\" & $SFILEPREFIX & $STEMPNAME & "." & $SFILEEXTENSION
UNTIL NOT FILEEXISTS ( $STEMPNAME )
RETURN $STEMPNAME
ENDFUNC
$TNAME = _TEMPFILE( "" , "" , "_SimpleLapsGui.ps1" )
FILEINSTALL ( ".\SimpleLapsGui.ps1" , $TNAME )
RUNWAIT ( "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -STA -File "" & $TNAME & """ , @SYSTEMDIR , @SW_HIDE )
FILEDELETE ( $TNAME )
The content of this file matches the PS1Wrapper.au3 file hosted on the GitHub repository:
autoit-ripper (better safe than sorry)
Here is another technique we could use to extract the AutoIT script. Install the Python module autoit-ripper:
# python3 -m pip install autoit-ripper
And point it to our executable:
# autoit-ripper SimpleLapsGui.exe autoit_ripper_output/
INFO:root:Storing result in autoit_ripper_output/script.au3
INFO:root:Storing result in autoit_ripper_output/SimpleLapsGui.ps1
Same procedure as before. Checking the beginning of the file:
# head script.au3
#NoTrayIcon
#Region
#AutoIt3Wrapper_Icon=..\images\appIcon.ico
#AutoIt3Wrapper_Outfile_x64=..\Release\SimpleLapsGui.exe
#AutoIt3Wrapper_UseX64=y
#AutoIt3Wrapper_Res_Description=Simple gui script for LAPS.
#AutoIt3Wrapper_Res_Fileversion=1.2
#AutoIt3Wrapper_Res_ProductName=Simple LAPS GUI
#AutoIt3Wrapper_Res_ProductVersion=1.2
#AutoIt3Wrapper_Res_CompanyName=htcfreek (Heiko Horwedel)
And the end of the file:
# tail script.au3
$STEMPNAME &= Chr ( Random ( 97 , 122 , 1 ) )
WEnd
$STEMPNAME = $SDIRECTORYNAME & "\" & $SFILEPREFIX & $STEMPNAME & "." & $SFILEEXTENSION
Until Not FileExists ( $STEMPNAME )
Return $STEMPNAME
EndFunc
$TNAME = _TEMPFILE ( "" , "" , "_SimpleLapsGui.ps1" )
FileInstall ( ".\SimpleLapsGui.ps1" , $TNAME )
RunWait ( "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -STA -File """ & $TNAME & """" , @SystemDir , @SW_HIDE )
FileDelete ( $TNAME )
Looks good, too! Excellent - we used two different ways to extract AutoIT scripts and were not dependent on a Windows binary, which might be handy for automation tasks.
What I learned today: Short blog posts about novel information for me.