Analysis Malicious Shellcode ( HTA as Dropper ) Part 2

 

We have successfully decoded the first stage of our code, but it does not yield meaningful results. To proceed, we need to follow a systematic process using CyberChef:

Step-by-Step Instructions:

1. Clear all operations in CyberChef

   • Open CyberChef.

   • Make sure no operations (filters) are currently applied.

2. Copy the encoded pattern

   • Identify and copy the hexadecimal pattern you want to decode.

3. Paste the pattern into CyberChef

   • Paste the copied pattern into the Input section.

4. Apply the "From Hex" operation

   • From the list of operations, search for and select "From Hex".

   • This will convert the hexadecimal data to readable text.

5. View the decoded result

• The decoded output will appear in the Output section.

Applying From Hex Filter From CyberChef :

Click the Save Button from Output Section and save it as shellcode.bin.

Debugging the ShellCode through SCDBG : 

After extracting the shellcode and saving it as shellcode.bin, you can use tools like Speakeasy or Scdbg to debug the shellcode and extract more information about the malicious file. To use Scdbg, follow these steps: 1. Download Scdbg: You can download Scdbg from the following link: http://sandsprite.com/blogs/index.php?uid=7&pid=152 2. Run Scdbg to debug the shellcode: After downloading and extracting Scdbg, use the following command to debug the shellcode: scdbg.exe /u /f shellcode.bin Press Enter after entering the command to start the debugging process. This will allow you to debug the shellcode and analyze its behavior further to gain insights into the malicious file.