We look at two ways to unpack malware that was crypted with an AutoIt packer. At first we trick our way to the payload, skipping the AutoIt script altogether. At the second run we thoroughly analyse the packer stub, decrypt strings, unpack the shellcode and find the decryption function in it. Malware Analysis course: sample: binary refinery: autoit-ripper: Follow me on Twitter: 00:00 Intro 00:25 Triage 03:38 Way 1: Unpacking by guessing 10:10 Way 2: Finding the code in large scripts 12:22 String decryption 29:51 Shellcode decryption 32:19 Shellcode analysis 34:32 Config extraction 37:31 3 lessons we learned
Hide player controls
Hide resume playing