Real coders code in Au3

June 5, 2016 in File Formats ZOO, Forensic Analysis, Malware Analysis

In my old post about malware writers I mentioned that lots of them code in VB, Today I will explore the topic that has not been explored before – Autoit malware authors. Luckily (or not), Autoit preserves paths to original Autoit script inside some of the compiled Autoit .exes. As a result.. we can decompile these scripts and get an insight into the hard drives of the bad doers…

So.. without further ado… this is how it looks like – see below.

Note: some of these paths may be legitimate, this is from a large sampleset that may contain ‘clean’ legitimate files, also, note the presence of many languages: French, Spanish, German, English, Traditional Chinese, Vietnamese, Turkish:

C:\Documents and Settings\Abdullah\My Documents\AU3\fservice.au3
C:\Documents and Settings\Administrador\Escritorio\Run.au3
C:\Documents and Settings\Administrateur\Bureau\Nouveau AutoIt v3 Script.au3
C:\Documents and Settings\Administrator\Desktop\Auto Scripts\Win.au3
C:\Documents and Settings\Administrator\Desktop\AutoSplash\autosplash.au3
C:\Documents and Settings\Administrator\Desktop\CUOICUNG.au3
C:\Documents and Settings\Administrator\Desktop\Minh-programing\maya\ambr.au3
C:\Documents and Settings\Administrator\Desktop\New Folder\telnet_batch.au3
C:\Documents and Settings\Administrator\Desktop\Portable Apps Creation Master 1.6\Portable Apps Creation Master 1.6.au3
C:\Documents and Settings\Administrator\Desktop\RARDAN YAPMA.au3
C:\Documents and Settings\Administrator\Desktop\SRO Server\EnCodeIt 2.0\SRO AutoLoginAutoParty v1.97_EnCoded1.au3
C:\Documents and Settings\Administrator\Desktop\Total Uninstall 4.6.2\%ProgramFilesDir%\Total Uninstall 4\RARDAN YAPMA.au3
C:\Documents and Settings\Administrator\Desktop\mokka\mythwarbot.au3
C:\Documents and Settings\Administrator\Desktop\thunghiem.au3
C:\Documents and Settings\Administrator\Desktop\vd.au3
C:\Documents and Settings\Administrator\Desktop\wtf.au3
C:\Documents and Settings\Administrator\Desktop\wupdate.au3
C:\Documents and Settings\Administrator\Local Settings\Temp\aus.au3
C:\Documents and Settings\Administrator\My Documents\Autoit V3\Include\Constants.au3
C:\Documents and Settings\Administrator\My Documents\Autoit V3\Include\Process.au3
C:\Documents and Settings\Administrator\My Documents\test.au3
C:\Documents and Settings\Administrator\桌面\DAEMON Tools Pro\Daemon Tools.au3
C:\Documents and Settings\Administrator\桌面\DAEMON Tools2\setup.au3
C:\Documents and Settings\Administrator\桌面\Wopti\install.au3
C:\Documents and Settings\Administrator\桌面\無背景+運行遊戲+無計時器(右上角)@ㄚ超X10\背景+運行遊戲+無計時器(右上角)@ㄚ超X10.au3
C:\Documents and Settings\Administrator\衯?蝃岓\蓏慺 昑糨\AutoIt v3 Script 昑糨.au3
C:\Documents and Settings\Administrator\袤醱\55.au3
C:\Documents and Settings\Administrator\袤醱\5avip_Obfuscated.au3
C:\Documents and Settings\Administrator\袤醱\StartRun6.4埭鎢\StartRun6.4埭鎢\ok赻雄堍俴馱撿6.4.au3
C:\Documents and Settings\Administrator\袤醱\new.au3
C:\Documents and Settings\Administrator\袤醱\pubwin2007 翑忒_Obfuscated.au3
C:\Documents and Settings\Administrator\袤醱\qq.au3
C:\Documents and Settings\Administrator\袤醱\setup.au3
C:\Documents and Settings\Administrator\袤醱\CGO2043赻雄境婥嗣攫\disk2.au3
C:\Documents and Settings\Administrator\袤醱\刉壺掛最唗.au3
C:\Documents and Settings\Administrator\袤醱\厙壽遙\LineSwh.au3
C:\Documents and Settings\Administrator\袤醱\陔膘 AutoIt3褐掛.au3
C:\Documents and Settings\All Users\Documenti\valid wg\File per autoit\Setup.au3
C:\Documents and Settings\All\Desktop\Autoit\TUL.au3
C:\Documents and Settings\Barbara\Desktop\X-SumatraPDF_source_rev3\X-SumatraPDF.au3
C:\Documents and Settings\Barbara\Desktop\X-SumatraPDF_source_rev3\x-launcher.au3
C:\Documents and Settings\Barbara\Desktop\X-SumatraPDF_source_rev3\x-udf.au3
C:\Documents and Settings\Beliar\Desktop\tare rau.au3
C:\Documents and Settings\BrOnZ\Desktop\PlayerPlus\PlayerPlus\Real Player.v11.0.0167.Plus.Beta\Pach_Real.au3
C:\Documents and Settings\Cedega\My Documents\downloads\run-tvc.au3
C:\Documents and Settings\Chef\Desktop\Stuff\v2.08\hhc hotkeys v2.au3
C:\Documents and Settings\Dizzy\Desktop\bots\Copy of Dizzy’s DL Bot 2.0 .au3
C:\Documents and Settings\Eniko\Desktop\decompilat.au3
C:\Documents and Settings\Fast3r\Plocha\AU3\SroTools\options2.au3
C:\Documents and Settings\FeFe BoSs\Desktop\fefe.au3
C:\Documents and Settings\Frognik\FuckKO v0.5\FuckKO.au3
C:\Documents and Settings\Fta&Ebru\Desktop\Yenlogmeini Klas顤 (2)\2.au3
C:\Documents and Settings\GPC\Desktop\11\auto.au3
C:\Documents and Settings\Gabe\Desktop\my-autoit\aurastack.au3
C:\Documents and Settings\GodsPerfectBeing\My Documents\AU3 in progress\ServerSwitch.au3
C:\Documents and Settings\GodsPerfectBeing\My Documents\AU3 in progress\spambot.au3
C:\Documents and Settings\H\Desktop\hans’s\Auto-it projects\Loader\InjectDLL.au3
C:\Documents and Settings\H\Desktop\hans’s\Auto-it projects\Loader\Loader.au3
C:\Documents and Settings\Hai Long\Desktop\Robots.au3
C:\Documents and Settings\HaxLi\Desktop\wm\JoyToKey.au3
C:\Documents and Settings\ILHAN\Desktop\kurprog.au3
C:\Documents and Settings\JOHN & NEO\Desktop\Explorer.au3
C:\Documents and Settings\JOHN & NEO\Desktop\da.au3
C:\Documents and Settings\Jeff Tan\Desktop\Pinnacle.au3
C:\Documents and Settings\Jonas\Skrivbord\Kopia av loader\Loader\Loader\Loader.au3
C:\Documents and Settings\Joshua Taylor\Desktop\KeyLog\KeyLog\KeyLog.au3
C:\Documents and Settings\Joshua Taylor\Desktop\KeyLog\KeyLog\hotmail.au3
C:\Documents and Settings\Joshua Taylor\Desktop\KeyLog\KeyLog\readfile.au3
C:\Documents and Settings\KLOUDJ\Desktop\programs\TechPol.au3
C:\Documents and Settings\Kissy\Desktop\My-AutoIt\Gondus’s Crumble Undead Bot.au3
C:\Documents and Settings\Kyle\Desktop\glider key.au3
C:\Documents and Settings\Le Dinh Thanh\Desktop\zin.au3
C:\Documents and Settings\Le Quang Trung\Desktop\enet.au3
C:\Documents and Settings\MARD\Desktop\Pinnacle.au3
C:\Documents and Settings\Matthew1\Desktop\Scolex RavMonE Eliminator\Scolex RavMonE Eliminator.au3
C:\Documents and Settings\Mohamed\Desktop\2\New AutoIt v3 Script.au3
C:\Documents and Settings\Niels Maerten\Mijn documenten\Miniscripts\sytemlock.au3
C:\Documents and Settings\OWNER\Desktop\cmdhide.au3
C:\Documents and Settings\Philip\Desktop\TB.au3
C:\Documents and Settings\Piotr\Pulpit\Pipen’s BOTS\COMBO BOT[release]\Pinnacle.au3
C:\Documents and Settings\Propriétaire\Bureau\Rayuran Project!\gui_Obfuscated.au3
C:\Documents and Settings\Radek\Pulpit\combo\combo.au3
C:\Documents and Settings\Radevic\Desktop\test\Update.au3
C:\Documents and Settings\Radevic\Desktop\test\update.au3
C:\Documents and Settings\RiCK\My Documents\My AutoIt v3 Scripts\DJ Auto Bot Remote Control\DJ Auto Bot Remote Control 2.au3
C:\Documents and Settings\Ruud\Bureaublad\0.4\OEMLOGO.au3
C:\Documents and Settings\Ruud\Bureaublad\0.4\oem_uninst.au3
C:\Documents and Settings\Ryan\Desktop\AutoItMultiTool\MultiTool.au3
C:\Documents and Settings\Sange\Desktop\aaaaaaaaa.au3
C:\Documents and Settings\Sange\Desktop\g.au3
C:\Documents and Settings\SomeGUy\Desktop\Downloads\GaiaAutoFisher [Red Bait].au3
C:\Documents and Settings\Student_net\My Documents\tkv.au3
C:\Documents and Settings\TSXP\Desktop\sound forge 10.au3
C:\Documents and Settings\TnC\Desktop\Lis\lisans.au3
C:\Documents and Settings\Tony\Desktop\runie.au3
C:\Documents and Settings\USER\迂?轻氵嗜\Computers\AutoIt v3 Script 滔硐.au3
C:\Documents and Settings\User\Desktop\yahoo.au3
C:\Documents and Settings\WelCome\Desktop\IEXPLORE.au3
C:\Documents and Settings\Whw\Local Settings\Temp\aus.au3
C:\Documents and Settings\XMS\Desktop\Scripts\Universal Portable Script.au3
C:\Documents and Settings\XPPRESP3.USER\Desktop\AutoBuffEnglishVer.au3
C:\Documents and Settings\XTZJ\袤醱\xpset1\ChangeScreenRes.au3
C:\Documents and Settings\XTZJ\袤醱\xpset1\xpset.au3
C:\Documents and Settings\abde\Desktop\Logger file\Startup.au3
C:\Documents and Settings\akoutsouradis\My Documents\Scripts\AutoIt\Message.au3
C:\Documents and Settings\cface\袤醱\陎諾荌埏赻雄腎翻\3.au3
C:\Documents and Settings\cuong@\Desktop\svchost3333.au3
C:\Documents and Settings\cuong@\Desktop\svchost68.au3
C:\Documents and Settings\cuong@\My Documents\svchost64.au3
C:\Documents and Settings\cuongadsl\Desktop\vuive\ads2.au3
C:\Documents and Settings\danger\Desktop\x4x.au3
C:\Documents and Settings\dbaez\Escritorio\scripts\TCS_settings_server.au3
C:\Documents and Settings\deh0448\My Documents\asdf.au3
C:\Documents and Settings\eric\Bureau\Caderix\scripts\Transparency2.5.au3
C:\Documents and Settings\h\Desktop\IEXPLORE.au3
C:\Documents and Settings\h\Desktop\fuckall.au3
C:\Documents and Settings\huycuong\My Documents\111.au3
C:\Documents and Settings\jackal\夥鰻 賊\kmp.au3
C:\Documents and Settings\lwc\袤醱\QQ躇鎢hash硉蛌MD5.au3
C:\Documents and Settings\manage\袤醱\Gpedit\CheckPWD.au3
C:\Documents and Settings\manage\袤醱\Gpedit\System Optimize Tools.au3
C:\Documents and Settings\nabreu\Ambiente de trabalho\Share\Bots\Bot K2 DL\Pinnacle.au3
C:\Documents and Settings\nhatquanglan\Desktop\cuoicung.au3
C:\Documents and Settings\nhatquanglan\Desktop\vietlai.au3
C:\Documents and Settings\nn\Desktop\test.au3
C:\Documents and Settings\pash-TET.PASHA\Desktop\123.au3
C:\Documents and Settings\pash-TET.PASHA\Desktop\1233213.au3
C:\Documents and Settings\pc\Desktop\PersonalScreenRes-Install.au3
C:\Documents and Settings\phuong anh\Desktop\CUOICUNG.au3
C:\Documents and Settings\phuong anh\Desktop\nhatquanglan.au3
C:\Documents and Settings\phuong anh\Desktop\nhatquanglan_Obfuscated.au3
C:\Documents and Settings\rallen\Desktop\Extend.au3
C:\Documents and Settings\robotics\Desktop\New Folder\Aggro\ABv0.2\AggroBotv0.23.au3
C:\Documents and Settings\rsarner\Desktop\ROnce.AU3
C:\Documents and Settings\s0uLtaker\My Documents\Archlord Stuff\bot\auto IT\MSN.au3
C:\Documents and Settings\tence\Bureau\KAV\autoit\kasperskys-cd-modif3.au3
C:\Documents and Settings\than sau\Desktop\Tu buff silkroad v1.01.au3
C:\Documents and Settings\thuy\Desktop\kill.au3
C:\Documents and Settings\thuy\Desktop\popup web an.au3
C:\Documents and Settings\trung\My Documents\YIMBot\dkc.au3
C:\Documents and Settings\truong nhat\Desktop\CUOICUNG.au3
C:\Documents and Settings\truong nhat\Desktop\nhatquanglan.au3
C:\Documents and Settings\truong nhat\Desktop\nhatquanglan_Obfuscated.au3
C:\Documents and Settings\viet\Desktop\love.au3
C:\Documents and Settings\weibaichi\袤醱\123.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\Include\array.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\core.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\File.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\IRC.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\config.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\iNet.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\im.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\lang.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\os.au3
C:\Documents and Settings\x0wner\Desktop\florida\PuffBotv1.03-priv(1)\include\uptime.au3
C:\Documents and Settings\xp xp\衯?蝃岓\彶 衯?蝃岓\蓏慺 昑糨\AutoIt v3 Script 昑糨.au3
C:\Documents and Settings\xp xp\衯?蝃岓\蓏慺 昑糨\AutoIt v3 Script 昑糨.au3
C:\Documents and Settings\選顫葬\夥鰻 賊\portable URLSnooper\portable URLSnooper\test.au3
C:\Documents and Settings\轉儰餤冓搿玁?嚦鎀\Mad Dog.au3
C:\Documents and Settings\拸窩\袤醱\Search.au3
C:\Documents and Settings\拸窩\袤醱\UX-theme-patcher\Path.au3
C:\Documents and Settings\拸窩\袤醱\UX-theme-patcher\Restore.au3
C:\Documents and Settings\拸窩\袤醱\qqq.au3
C:\Documents\Scripts\Flickr AutoDownloadr\FAD frontend.au3
C:\Dokumente und Einstellungen\8\Desktop\Dupe AccHack\Starter.au3
C:\Dokumente und Einstellungen\8\Desktop\Dupe AccHack\csrss.au3
C:\Dokumente und Einstellungen\Administrator\Desktop\Botnew\Packs\2\1Original\Kopie von Bot.au3
C:\Dokumente und Einstellungen\Administrator\Desktop\Botnew\Packs\5\Allok.AVI.to.DVD.SVCD.VCD.Converter.v2.1.4.WinAll.Regged-EiTheL\1Original\Kopie von Bot.au3
C:\Dokumente und Einstellungen\Administrator\Desktop\Botnew\Packs\AAF\Adobe Creative Suite 2 Keygen (Photoshop Cs2, Illustrator Cs2, Golive Cs2, More)\1\Kopie von Bot.au3
C:\Dokumente und Einstellungen\Administrator\Desktop\Botnew\Packs\AAF\Adobe Photoshop CS2 9.0 Final Keygen & Acitvater\1\Kopie von Bot.au3
C:\Dokumente und Einstellungen\Administrator\Desktop\P_NAB_source\looter.au3
C:\Dokumente und Einstellungen\Besitzer\Desktop\tools\lossbot\blubtmo_lossbot1.20.au3
C:\Dokumente und Einstellungen\Daniel\Desktop\Fertige Bots\High End\Schoko愀 Bot\Data\IG5.au3
C:\Dokumente und Einstellungen\Daniel\Desktop\Fertige Bots\High End\Schoko愀 Bot\Data\IG6.au3
C:\Dokumente und Einstellungen\IroX\Desktop\PiroX B0t\pirox.au3
C:\Dokumente und Einstellungen\Keller.Florian\Desktop\copy.au3
C:\Dokumente und Einstellungen\Lumsk\Desktop\Botnew\Family Keylogger\Family Keylogger v2.80 with Crack\Limewire.au3
C:\Dokumente und Einstellungen\Sirus\Desktop\1 click Flasher\test.au3
C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\CLIENT.au3
C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\IRCJoinNew.au3
C:\Dokumente und Einstellungen\fearlumsk\Desktop\Bot\Bot\IRCJoinNew2.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\Include\array.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\core.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\File.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\IRC.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\config.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\iNet.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\im.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\lang.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\os.au3
C:\Dokumente und Einstellungen\root\Desktop\spread\include\uptime.au3
C:\Users\Admin\Desktop\sss.au3
C:\Users\Administrator\Desktop\qwee.au3
C:\Users\Administrator\Documents\Projekte\Zeiss\CZ – Enterprise Discovery\WinEDMSG\Version 1.1.0\SOURCE\WinEDMsg.au3
C:\Users\BossTheTuga\AppData\Local\Temp\loaderstub.au3
C:\Users\Brunno\Desktop\antileecher.au3
C:\Users\Dhilip\Desktop\WGAN_Rmvr2.au3
C:\Users\Forever2008\Desktop\PORTABLE PhotoshopCS4 By ForeverXP\Iniciar.au3
C:\Users\John\Documents\Portable Software\AviScreenPortable\Other\AviScreen Portable Source\AutoItTemplate.au3
C:\Users\John\Documents\Portable Software\AviScreenPortable\Other\AviScreen Portable Source\AviScreenPortable.au3
C:\Users\John\Documents\Portable Software\AviScreenPortable\Other\AviScreen Portable Source\BatchExec.au3
C:\Users\John\Documents\Portable Software\AviScreenPortable\Other\AviScreen Portable Source\Registry.au3
C:\Users\MediaDogg\Desktop\GUI-055xDev\CopyGui.au3
C:\Users\MediaDogg\Desktop\GUI-055xDev\FilterGUI.au3
C:\Users\MediaDogg\Desktop\GUI-055xDev\GUI-057x.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\7Zip.au3″ , EXECUTE ( $A0D0F612E41 ) & “\7Zip.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\FTP.au3” , EXECUTE ( $A180F81360F ) & “\FTP.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\Security.au3” , EXECUTE ( $A0EFE21213D ) & “\Security.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\SecurityConstants.au3” , EXECUTE ( $A280F21305C ) & “\SecurityConstants.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\SendMessage.au3” , EXECUTE ( $A58FEE14E3B ) & “\SendMessage.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\StructureConstants.au3” , EXECUTE ( $A4B0F013758 ) & “\StructureConstants.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\WinAPI.au3” , EXECUTE ( $A480FC13826 ) & “\WinAPI.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\WindowsConstants.au3” , EXECUTE ( $A350FE11B29 ) & “\WindowsConstants.au3
C:\Users\NURZA\Desktop\Albator MDP Stealer\file.au3” , EXECUTE ( $A580F41111C ) & “\file.au3
C:\Users\Owner\Desktop\Deploy.au3
C:\Users\Paul\Desktop\OneKey\closeKms.au3
C:\Users\S & M\Desktop\RDK\RDK.au3
C:\Users\searchengine\Desktop\Display.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\Include\array.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\core.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\File.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\IRC.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\config.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\iNet.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\im.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\lang.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\os.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\uptime.au3
C:\Users\slipo\Documents\Mis archivos recibidos\[HitX]\[HitX]\include\usb.au3
C:\Users\volkan\Desktop\4.au3
C:\Users\zouhir\Desktop\haching\Nouveau AutoIt v3 Script.au3

Comments are closed.