autorun-inf-deobfuscator
Advanced tools
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
Such an autorun.inf file can be quite big since the malware authors can add junk to the configfile which will not be evaluated by Windows.
This scripts only shows the important parts of the config which will be evaluated by Windows.
More information about autorun.inf files you can find on Wikipedia.
Install the package with pip
pip install autorun-inf-deobfuscator
or
pip install git+https://github.com/wahlflo/AutorunInfDeobfuscator
Type deobfuscate-autorun-inf --help to view the help.
usage: deobfuscate-autorun-inf [OPTION]... -i FILE
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
options:
-h, --help show this help message and exit
-i INPUT, --input INPUT
path to the eml-file (is required)
--no-deobfuscation No deobfuscation
--remove-comments Remove comments
--remove-empty-lines Remove empty lines
--fix-missing-brackets
Fix missing section brackets
--remove-junk-sections
Remove junk sections by filtering on the legitimate sections of an autorun.inf file
--show-sections Prints out only the name of the sections contained in the file
-o OUTPUT, --output OUTPUT
Writes the obfuscated file to the given file
excerpt of an obfuscated autorun.inf file created by Conficker:
[AUTorUN
;
ÅA¯˜ölÜŠq¦…tÎKVWœý¸¤¬
AcTION
=Ordner öffnen, um Dateien anzuzeigen
icon =
%syStEmrOot%\sySTEM32\sHELL32.Dll ,4
;Pr×SoàDWWCfDnhTvVQyažã¾
;«GáÊ
;
qTJ¥·r€ÕoÍgwDqçÚJûKEí´û
shelLExECUte
=RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
;
zD¾pl¿›cà½ÂuDbËyF½žÚG
;f›yÊlÌÃèŠdGµBwAsUmF
;
»Ÿobz²q•GEìªiSøµväF˜Ø¤ò¼fîNŒDs±
useAuTopLAY
=
1
;
Fª†g•¿úoÖMÊc°¹tYcÈìkdQeæØnD§äâÙrˆe…C¿ùlÝ„ôC
[
oiw]
deobfuscation with the deobfuscate-autorun-inf script:
$deobfuscate-autorun-inf -i conficker_autorun_sample.ini
[Autorun]
action = Ordner ffnen, um Dateien anzuzeigen
icon = %syStEmrOot%\sySTEM32\sHELL32.Dll ,4
shellexecute = RuNdLl32.EXE .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useautoplay = 1
FAQs
A cli script to deobfuscate obfuscated autorun.inf files as used by the Conficker / Downadup malware for example.
We found that autorun-inf-deobfuscator demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.
Security News
NVD’s backlog surpasses 20,000 CVEs as analysis slows and NIST announces new system updates to address ongoing delays.