Excel 4.0 Macro, hta, VBScript & PowerShell Analysis Ataware Ransomware – Part 0x1

This will be multiple part blog series analysing complete infection chain from Excel to Ataware Ransomware. In this post we will discuss analysis steps for hta, VBScript & PowerShell code to extract final payload url. Let’s start with xls, I was browsing Twitter for interesting sample, then I found this tweet from @nao_sec and started investigating. You can download the xls from ANY.RUN.

Overview of analysis steps

xls analysis steps

  1. Check the file type and extract the string
    strings "563902-IT Services Procurement Catalog updated.xls" > str_excel.txt
  2. Go through the strings output and you will find the mshta cmd with Dropbox url
  3. Now you know, this excel is definitely malicious by using only string tool
  4. Let’s analyse it further to understand how this mshta is invoked
  5. Run olevba on xls, as you can see in below output it uses Excel 4.0 macro hidden sheet to execute mshta cmd.

For more details on Excel 4.0 Macro, check the references section[1]. Now we will move on the hta file analysis.

htseelaaa.hta analysis

Why attacker using hta?

HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser [2]. hta file can be executed using inbuilt trusted Windows utility mshta which can bypass Application Whitelisting.

Deobfuscate Steps
  1. Extract the vbs code from hta file and save as vbs
  2. Replace the eval with Wcript.Echo and execute using cscript
  3. Now you can see the base64 encoded PowerShell code, instead of manual deobfuscation let’s run the PowerShell code inside our VM with FakeNet-NG
  4. Enable PowerShell Enhanced Logging before running above PowerShell code, for more details check this Deobfuscate PowerShell using PowerShell Logging
  5. After executing, go through PowerShell logs in EventViewer to find out the debofuscate code as shown below
  6. Copy the PowerShell code after removing iex and execute it to see the final decoded code shown below
  7. This above PowerShell download the PE file from dropbox link and execute it in $temp directory with filename ATAPIinit.exe.

Conclusion

  • Infection vector is unique as it is using Excel 4.0 Macro technique with mshta and PowerShell.
  • Heavily obfuscated to slow down analysis
  • Using dropbox as initial payload delivery, as dropbox may be allowed in proxy

References

  1. XLM Excel 4.0 Macro Details
  2. Mshta technique

Upcoming part 0x2 we will analyse the UAC bypass using CMSTPLUA COM interface technique used by PE file downloaded from PowerShell. Hope you enjoyed the post, please comment with your suggestions/feedbacks or else contact me on Twitter. Happy Reversing 🙂

Related Posts

2 Comments. Leave new

Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.

Menu