Sunday, January 20, 2013

Analysis of an uncommon Downloader

This will be a quick analysis of a Downloader I recently came across (thanks to Artem for providing the sample!). What makes this malware special is the uncommon programming language which it uses to accomplish its tasks (actually a scripting language). The malware itself is very rudimentary, only the actual Downloader (spawns a shellcode) is a bit more advanced. Unfortunately the server isn't responding to the requests from the Downloader, so it is unclear what final purpose this malware has. I think the scripting languages and the shellcode were chosen to evade AV (heuristic) detections. The detection rates of the Dropper are still very low (6/46), even 2 years after its creation:

I haven't uploaded the dropped files, but I guess detections rates are also very low if at all. This task is left to the reader. ;-)

What is interesting about this malware:
- Makes use of Gentee scripting language (actually uses CreateInstall, which was coded in Gentee)
- Makes use of AutoIt scripting language
- Spawns a shell to download additional component(s)

A dynamic analysis of this malware can be found at

I try to give some additional information, so let's start with the Dropper.

Note: All files of this malware have the extension ".com", but they are all .exe files (just renamed to .com).