Last Updated: 2019-03-10 19:34:02 UTC
by Didier Stevens (Version: 1)
Reader Ahmed shared his analysis of a malicious HTA file: the reason why he had to perform static analysis, is that dynamic analysis failed: the sandbox he used reported no activity by the HTA file.
It's a rule of thumb when reversing: if you don't succeed with one particular analysis method, try another one. Even if that second method fails too, it might give you insight to help you progress with the first method.
An HTA file is an HTML Application (extension .hta): it's an HTML file with scripts (VBScript, JScript, ...) that is executed by the HTA engine (mshta.exe). Unlike a browser, scripts running inside that engine are not restricted and use the full permissions of the user running the HTA engine.
The VBScript in this HTA file has a string that is heavily obfuscated. This string is passed on to the Create method of a WMI class to create a new process, but first it is processed by the Replace function:
This call to the Replace function, replaces string ![_%/+-$>#*&])(=?< with an empty string: the result is that each ![_%/+-$>#*&])(=?< occurence is removed from the string passed on to the Create method.
Normally it's easy to do the same with the stream editor sed, except that this string contains meta-characters that have to be escaped, like this:
Now it's clear that this is a PowerShell command, and that the script is obfuscated. We can manually deobfuscate this script, like Ahmed did, but in this diary entry I want to show a quick and dirty method to find out what this script is doing.
First of all, it's clear that we are dealing with malware. A malicious PowerShell script like this one, is almost always a downloader: a script that downloads a payload from the Internet. The URL(s) is/are often obfuscated. But if you search for the character : (found in http://), you might be lucky and find a fragment of a URL.
And that's what we have here for the third occurence of the : character:
Let me just clean this up: a bit to the left there's an .Invoke method call (that's the beginning of the statement) and a bit to the right there's a ; character (that's the end of the statement):
In pink, I've highlighted fragments of text that are clearly part of a URL. This URL uses an IPv4 address, starting with 46.101.8.
In yellow, I've highlighted all the remaining digits: it looks to me that 5.43 is the rest of the IPv4 address.
To be sure, I'm looking it up with VirusTotal: 46.101.85[.]43.
And we are lucky: this IPv4 address is known, and there's one URL with a bad score. The path of this URL is putt.txt, and with that info, I can further identify the fragments of the URL:
When you are dealing with an obfuscated PowerShell script, it's often a downloader. Depending on the obfuscation method, it's possible that the URL (or URLs) is broken up in different fragments, but that the characters have not been encoded. In that case, it can be possible to identify the different fragments, sometimes with the help of threat intel.
Last Updated: 2019-03-10 19:18:39 UTC
by Didier Stevens (Version: 1)
This week, reader Ahmed Elshaer submitted a malicious HTA file. He was able to deobfuscate the VBscript inside the HTA file, but had difficulties with the obfuscated PowerShell script launched by the VBscript.
Later, Ahmed reached out again: he had deobfuscated the PowerShell script, and shared his analysis with us. Thanks Ahmed! I'm posting his analysis here, but with pictures of the (partially) deobfuscated script to avoid triggering AV.
Analysis of Powershell Malware Captured on March 1st 2019:
We have detected a suspicious Process executed on one of the machines which turned to be a result of malicious
HTA file that's being delivered by mail.
from looking at the HTA which is a VBScript you will notice its obfuscated and can be easily de-obfuscated
using a find/replace command in Text Editor or by using SED.
i have made a python script before to quickly de-obfuscate simple split/replace code that can also be used with this.
Below the HTA File Content:
after replacing "![_%/+-$>#*&])(=?<" with nothing we should get the de-obfuscated code:
you can notie its a multi-layer obfuscation, that we have to deal with to understand this malware.
purpose of doing this analysis, sometimes the malware that you can capture and run in dynamic anaylsis do only a subset of its functionality and we dont have change to know its full potential.
and some times its dynamic like it can generate different key for each machine so you have to understand its code to be able to use its functionality and stop it using its own code.
i took the Powershell command mentioned in the VBScript and tried to tweak it a bit to remove the dangerous part and to get the actual code.
And here is the result of the 1st iteration of decoding the provided Powershell code after saving it to a file.
decoding the result we have from the previous command as follows.
we will have the below code, also de-obfuscated Powershell code.
Following same approach we done previously.
spliting the code at ; and looking into it, it's very easy to do string format by hand on each string to form the original powershell command.
which will result the final code here.
looking into the code here we can see that this script will do the following:
- it generate a long number as a reference (which is all letters A-Z and a-z)
- select 6 random characters from them to be the name of the file downloaded later
- it download the malware and name it .log then move it to exe then execute it.
we downloaded the malware and do simple check on the File which turned to be signed ursnif sample. which steals system information and attempts to steal banking and online account credentials.
# PS C:\Users\User> sigcheck.exe .\eDRTou.exe
# Verified: Signed
# Signing date: 11:59 PM 2/27/2019
# Publisher: 01010000 LTD
# Company: INCA Internet Co., Ltd.
# Description: nProtect KeyCrypt Program Database DLL
# Product: nProtect KeyCrypt Program Database DLL
# Prod version: 4, 0, 0, 0
# File version: 2003, 10, 1, 1
# MachineType: 32-bit
when running the Malware, you will notice its trying to contact C2 Server.
- hxxp://followgathering[.]pw -> 192.42.119[.]41
Below you can find Dynamic analysis for this malware: