Multistage malware breakdown; Part 1

May 13, 2020
icon
icon
icon

Nowadays, malware is more sophisticated due to the use of obfuscation techniques. The goal of obfuscation is simple: it makes it more difficult for a security researcher to actually understand what’s going. Obfuscation is also challenging for security products and can buy time for the attacker to remain undetected.

Attackers create a multistage process from the dropper to the malware itself in order to make it hard to trace and research. Furthermore, attackers also use a variety of obfuscation techniques along the way, so only experienced researchers can handle the attack.

Let’s have a look at a sample that I found, so we can see the process of breaking a multistage malware attack.

HTA
The sample itself is an HTA document. HTA is a file extension for an HTML executable file format.
The idea behind HTA files is to let developers create web applications for Internet Explorer. Of course, attackers found HTA files easy to abuse; they can get Internet Explorer to execute scripts without any browser security checks. This can cause a malicious execution without any problem.
This technique is a part of “LOL”(Living off the land), which means that the attacker doesn’t really need external tools for execution; he uses functionality that is available from the operating system.

So by grabbing the HTA file and looking at what is inside, we can see some HTML code with a Javascript array. We can also see that the main goal here is to create an object.

In order to view what’s hiding inside this hex array, I just used Python since Python can turn it into decimal format when printing to the screen:

The content of the hex array:

Now that we have the content, we can reorganize the creation of the object.
The original array:

ActiveXObject(_0xb8a2[4])[_0xb8a2[3]](_0xb8a2[0],_0xb8a2[1],_0xb8a2[2],_0xb8a2[2],0);window[_0xb8a2[5]]();self[_0xb8a2[5]]

After reorganization:
ActiveXObject(_0xb8a2[SHeLl.AppLiCATIoN])[_0xb8a2[‘shELLeXEcuTE‘]](_0xb8a2[‘PoweRsHElL.eXE‘],_0xb8a2[‘The Base64 powershell script’],_0xb8a2[‘’],_0xb8a2[‘’],0);window[_0xb8a2[‘close’]]();self[_0xb8a2[‘close’]]

Since we now understand the creation of the object, we must next try to understand the content that the object is going to execute. Therefore, we will have to decode the Base64 encoding:

We can see that we have some null bytes that presented to us in a utf8 format, so in order to extract something, we have to first remove those null bytes:

There are a few things we can see here:

  1. There is a usage of bitsadmin in order to pull another file from a URL.
  2. A second file called “brat.true’ is fetched from the URL.
  3. The file is saved as “Com100Chats.exe”.

That’s all for Part One. To summarize, we learned how to deal with a hex array in order to analyze it, we decoded base64 with utf8 format and cleaned the null bytes so we can view clear content.
Our next stage is to analyze the “Com100Chats.exe” and figure out what it does.

***

For more info contact us here

Tags: Computer Viruses, Malware, Threat Research, Unwanted Programs
icon
icon
icon

Must-Read Articles

01.
What Is The Best Antivirus For HP Laptop Users?
02.
Do You Know How To Scan Zip Files For Viruses And Zip Bombs?
03.
Tired of Being Tracked? How to Stop Being Tracked Online
04.
How Can Hackers Steal Your Social Security Number?
05.
“I Got Scammed On Instagram!” How To Detect An Instagram Scam
06.
Cash App Scams & Fraud: How Can I Protect Myself?
07.
Top Tips For How To Remove Hard Inquiries From Credit Report
08.
"I Got Scammed!" - Does PayPal Refund Money If Scammed?
09.
What Antivirus Does Google Use? Why You Shouldn't Just Rely On Google Virus Protection
10.
Has My Email Been Compromised? 5 Signs It's Been Hacked

Recent Articles

How to Recognize Fake ChatGPT & Fake Domains
What is Web Server Security? Best Secure Practices To Employ
Scams On Facebook Marketplace and How to Safely Sell Online

Discover more

COVID-19: Keeping internal work teams up to speed
Get some ‘quarantime’ with your kids
Shred your business documents before they’re ‘shared’ with the wrong people
A helpful & hopeful list of SMB government support measures around the world
Essential tech tools for staying connected while working apart
Can the Internet handle all the traffic while everyone works from home?
footer logo
+1 (989) 300-0998support@reasonlabs.com
Company
arrow
Who We AreWhy ReasonLabs?PlatformEventsIndustry RecognitionCareers
Resources
arrow
BlogLabsCyberpediaReportsNewsFAQ’s
Products
arrow
RAV Endpoint ProtectionSafer Web DNS FilteringRAV VPNRAV Managed EDROnline SecurityFamilyKeeper
© 2023 Reason Cybersecurity Ltd.
Product PoliciesPrivacy PolicyTerms & Conditions