Multistage malware breakdown – Part 1

Nowadays, malware is more sophisticated due to the use of obfuscation techniques. The goal of obfuscation is simple: it makes it more difficult for a security researcher to actually understand what’s going. Obfuscation is also challenging for security products and can buy time for the attacker to remain undetected.

Attackers create a multistage process from the dropper to the malware itself in order to make it hard to trace and research. Furthermore, attackers also use a variety of obfuscation techniques along the way, so only experienced researchers can handle the attack.

Let’s have a look at a sample that I found, so we can see the process of breaking a multistage malware attack.

HTA
The sample itself is an HTA document. HTA is a file extension for an HTML executable file format.
The idea behind HTA files is to let developers create web applications for Internet Explorer. Of course, attackers found HTA files easy to abuse; they can get Internet Explorer to execute scripts without any browser security checks. This can cause a malicious execution without any problem.
This technique is a part of “LOL”(Living off the land), which means that the attacker doesn’t really need external tools for execution; he uses functionality that is available from the operating system.

So by grabbing the HTA file and looking at what is inside, we can see some HTML code with a Javascript array. We can also see that the main goal here is to create an object.

In order to view what’s hiding inside this hex array, I just used Python since Python can turn it into decimal format when printing to the screen:

The content of the hex array:

Now that we have the content, we can reorganize the creation of the object.
The original array:

ActiveXObject(_0xb8a2[4])[_0xb8a2[3]](_0xb8a2[0],_0xb8a2[1],_0xb8a2[2],_0xb8a2[2],0);window[_0xb8a2[5]]();self[_0xb8a2[5]]

After reorganization:
ActiveXObject(_0xb8a2[SHeLl.AppLiCATIoN])[_0xb8a2[‘shELLeXEcuTE‘]](_0xb8a2[‘PoweRsHElL.eXE‘],_0xb8a2[‘The Base64 powershell script’],_0xb8a2[‘’],_0xb8a2[‘’],0);window[_0xb8a2[‘close’]]();self[_0xb8a2[‘close’]]

Since we now understand the creation of the object, we must next try to understand the content that the object is going to execute. Therefore, we will have to decode the Base64 encoding:

We can see that we have some null bytes that presented to us in a utf8 format, so in order to extract something, we have to first remove those null bytes:

There are a few things we can see here:

  1. There is a usage of bitsadmin in order to pull another file from a URL.
  2. A second file called “brat.true’ is fetched from the URL.
  3. The file is saved as “Com100Chats.exe”.

That’s all for Part One. To summarize, we learned how to deal with a hex array in order to analyze it, we decoded base64 with utf8 format and cleaned the null bytes so we can view clear content.
Our next stage is to analyze the “Com100Chats.exe” and figure out what it does.

***

For more info contact us here