![exe to autoit script converter exe to autoit script converter](https://i.ytimg.com/vi/X41G_R37iLg/maxresdefault.jpg)
Notably, on one occasion, the developer referenced the Microsoft Word document icon path from the machine as “C:\works\old_progs\download\icons\DOC.ico.” The malware downloaders’ version information includes the English-language locale and LCID code of “2057”, which is a code page for English, Great Britain language code. In the later versions of this malware, the developer(s) also decided to obfuscate this string with hex-encoding presumably to avoid static detection on hidden Window AutoIt scripts.
Exe to autoit script converter pdf#
The downloaders simply create a fake GUI application mimicking Microsoft Word or PDF application with the fake message indicating password-protected documents to make Autoit icon is not visible with the (“TrayIconHide”, 1) argument. The reviewed older samples were compiled with Autoit for the 32-bit version, while the more recent ones were for the 64-bit one. Malware analysis reveals the later usage of the hex-encoding functions to obfuscate certain strings within the APT28 malware.ĪPT28 Autoit downloaders rely on WinHTTP DLL library for clientserver communications.
![exe to autoit script converter exe to autoit script converter](https://vkintel.files.wordpress.com/2019/01/e14b0-screen2bshot2b2019-01-222bat2b12.04.592bam.png)
The Zebrocy/Zepakab Autoit downloader implants are simple and reminiscent of the other version coded in Golang, C++, and Delphi. The malware downloaders are simple AutoIt compiled scripts with the added icons and are occasionally packed with UPX. APT28 is also known as Sofacy, Fancy Bear, STRONTIUM, Pawn Storm, and Sednit. Here, I decided to recover and dissect its AutoIt scripts from its executable. The APT28 group continues to be developing and leveraging Zebrocy/Zepakab downloader implants. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled) "parsestring()" and "parsefile()" FunctionsĮ. Zebrocy/Zepakab Downloader Implant (32-Bit 圆4 Compiled)ġ.
![exe to autoit script converter exe to autoit script converter](https://isc.sans.edu/diaryimages/images/rar-20170824-3.png)
Zebrocy/Zepakab Downloader Implant (32-Bit 圆4 Compiled)ĭ. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)Ĭ. Zebrocy/Zepakab Downloader Implant (32-Bit x86 Compiled)ī. APT28 Zebrocy/Zepakab AutoIt Script ExtractionĪ.