Keypoints
- Sample delivered as a passworded ZIP; unzip password is “infected” to extract a .hta loader.
- The .hta contains obfuscated JavaScript that executes a large base64 blob (PowerShell payload) via mshta/wscript.shell.
- CyberChef is used to decode the base64 blob, remove UTF‑16 null bytes, and recover the embedded PowerShell script.
- The PowerShell script contains a large hex byte array and API calls referencing VirtualAlloc, memset (write), and CreateThread (execute in memory).
- Decoded hex bytes are converted to raw bytes and disassembled in CyberChef, showing shellcode patterns (e.g., CLD, calls, ROR operations) consistent with Cobalt Strike.
- Saved bytes were emulated with FireEye SpeakEasy (shellcode mode), which showed API activity and an attempted download from 51.79.49[.]174:443, indicating a downloader behavior.
MITRE Techniques
- [T1059.001] PowerShell – Use of PowerShell to execute embedded payloads and the base64 blob (“it just executes a PowerShell command containing the base64 blob”) (‘it just executes a PowerShell command containing the base64 blob’).
- [T1218] Signed Binary Proxy Execution – Initial .hta executed via mshta leading to PowerShell execution (mshta execution chain) (‘initial execution of .hta (mshta.exe parent process) to powershell.exe (child process)’).
- [T1027] Obfuscated Files or Information – Payload uses obfuscation and encoding (large base64 blob, UTF‑16 and hex) to hide the script and shellcode (‘obfuscated code followed by a large base64 blob’).
- [T1055] Process Injection – Use of APIs to allocate, write, and execute memory (VirtualAlloc, memset, CreateThread) indicates in-memory code execution/injection techniques (‘references to api’s that can be used to allocate (VirtualAlloc), write (memset) and execute (CreateThread) something in memory’).
- [T1105] Ingress Tool Transfer – Shellcode attempts to download additional payloads from a remote host (observed network activity to 51.79.49[.]174:443) (‘numerous api calls were made in an attempt to download something from 51.79.49[.]174:443’).
Indicators of Compromise
- [SHA256] sample hash – 2c683d112d528b63dfaa7ee0140eebc4960fe4fad6292c9456f2fbb4d2364680
- [IP Address] download host – 51.79.49[.]174:443 (observed in SpeakEasy emulation as a download target)
- [Filenames / Artifacts] loader and extracted payload – example .hta loader (initial file), shellcode.bin (saved raw bytes used for emulation)
- [Processes] execution chain to investigate – mshta.exe parent to powershell.exe child (recommended hunting/alerting focus)
The technical workflow begins by extracting the passworded ZIP (password: “infected”) to obtain the .hta file. Open the .hta in a text editor to locate an obfuscated script and a large base64 blob; the script contains a PowerShell command invoked via wscript.shell/mshta that embeds the blob rather than requiring decoding of the initial obfuscation layers.
Copy the base64 blob into CyberChef, decode it (or use “Decode Text” with UTF‑16 or “Remove null bytes”) to recover the PowerShell script, then extract the large hex byte array from that script. In CyberChef, apply “From Hex” to convert the hex array to raw bytes and use “Disassemble x86” to check for shellcode indicators (e.g., CLD, call sequences, ror operations) which increase confidence the blob is shellcode (patterns consistent with Cobalt Strike).
Export the raw bytes to a file (e.g., shellcode.bin) and emulate execution with FireEye SpeakEasy using flags such as -t -r -a x86 (or -a x64 if appropriate). SpeakEasy will reveal API calls and network activity; in this case it demonstrated attempts to download from 51.79.49[.]174:443, confirming downloader behavior. Based on these results, hunt for mshta.exe -> powershell.exe execution chains and any connections to the observed IP, and investigate whether additional payloads were retrieved and executed.
Read more: https://embee-research.ghost.io/malware-analysis-decoding-a-simple-hta-loader/