Original link: https://research.checkpoint.com/2020/how-to-de-obfuscate-a-huge-autoit-script-in-less-than-two-minutes/

Imagine this scenario: you’re researching a malware sample which starts its execution with unpacking the archive (usually RAR or ZIP one) which came with a suspicious email and launching an AutoIT script stored inside the archive. You start analyzing this script and get stuck: its size is more than 150MB! What do you do?

Clearly, you need to de-obfuscate the script. We’ll show you how to do it in less than 2 minutes.

The following tools are required:

• AutoIT installer
• AutoIT decompiler

The decompiler can process executables which have an embedded AutoIT script inside. But it can’t do anything with external scripts.

To use a decompiler, a standalone AutoIT script has to be embedded inside the executable so the decompiler can be further applied. To do so, let us use the Aut2Exe Converter:

After the conversion is complete, there is a fully working executable which is approximately 155 times smaller than the original obfuscated one:

Instead of writing scripts to manually de-obfuscate the script, let the converter do the entire job and produce clear byte-code in the output.

The next step is to put the executable inside the decompiler and get the clear-text script:

The script file without all the junk is approximately 2800 times smaller than its obfuscated counterpart:

Now the script can be analyzed further.

[培训]内核驱动高级班，冲击BAT一流互联网大厂工作，每周日13:00-18:00直播授课