The article demonstrates decoding a simple HTA loader used to load Cobalt Strike shellcode, using CyberChef to extract the embedded payload, and validating it with an emulator before basic analysis in Ghidra. It provides a hash and a Malware Bazaar link for the sample and reveals the downloader nature of the activity. #CobaltStrike #HTALoader #CyberChef #SpeakEasy #PowerShell #Base64
Keypoints
- HTA loader contains an embedded script and a large base64 blob, analyzed via a text editor and CyberChef.
- The base64 blob is UTF-16 encoded with null bytes, removable with CyberChefโs decode/remove-null-bytes steps to reveal a PowerShell script.
- Decoded content points to in-memory execution features, referencing VirtualAlloc, memset, and CreateThread for run in memory.
- Hex bytes in the shellcode are disassembled with CyberChef, showing shellcode indicators (e.g., CLD, call, and ror 0D) typical of Cobalt Strike.
- SpeakEasy emulator is used to validate the shellcode by simulating execution and showing API calls to download from a remote host (51.79.49.174:443).
- The downloader role of the payload is concluded, with a hash and Malware Bazaar link provided for the sample 2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680.
MITRE Techniques
- [T1059.001] PowerShell โ The initial HTA loader behavior involves a PowerShell command containing the base64 blob. โa PowerShell command containing the base64 blob.โ
- [T1218.005] Mshta โ The article notes the flow from mshta.exe (parent) to powershell.exe (child). โmshta.exe parent process to powershell.exe (child process).โ
- [T1027] Obfuscated/Compressed Files and Information โ The script begins with obfuscated code followed by a large base64 blob. โa small piece of obfuscated code followed by a large base64 blob.โ
- [T1055] Process Injection โ In-memory execution described via VirtualAlloc, memset, and CreateThread. โallocate (VirtualAlloc), write (memset) and execute (CreateThread) something in memory.โ
- [T1105] Ingress Tool Transfer โ Downloader behavior observed as the shellcode attempts to download payload from a remote host. โdownload something from 51.79.49[.]174:443.โ
- [T1059.007] JavaScript โ The loader uses JavaScript-related execution paths via wscript.shell to run commands. โbroken-up wscript.shell. Which is commonly used to execute commands from javascript.โ
Indicators of Compromise
- [Hash] โ 2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680
- [URL] Malware sample page โ https://bazaar.abuse.ch/sample/2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680/?ref=embeeresearch.io
- [IP:port] Downloader host โ 51.79.174:443 (as referenced as 51.79.49[.]174:443 in the article)
Read more: https://www.embeeresearch.io/malware-analysis-decoding-a-simple-hta-loader/