Day 21: Malware Analysis — Malhare.exe
For Day 21, the mission shifted to a defensive perspective to investigate a malicious HTA (HTML Application) file used by King Malhare to compromise elf laptops. This challenge, titled Malhare.exe, focused on reverse-engineering a file that appeared to be a harmless "salary survey" but was actually a delivery mechanism for second-stage payloads.
Core Concept: Understanding HTA Files
An HTA file is essentially a Windows application that is "dressed up" as a web page. While it contains standard web components like HTML, CSS, and JavaScript, it does not run in a browser; instead, it executes directly on the Windows operating system using mshta.exe. This allows the file to bypass many traditional security restrictions and execute real system commands.
A typical HTA file consists of three parts:
• The HTA Declaration: Defines the application’s properties, such as the title and window behavior.
• The Interface: The visual layout created with HTML and CSS.
• The Script: The logic (often VBScript or JavaScript) that dictates what the application does when opened.
The Technical Breakdown: Dissecting the Salary Survey
In this investigation, I analysed the The Best Festival Company Developer Survey. I uncovered how King Malhare used typosquatting by hosting the malicious payload on the domain survey.bestfestivalcompany.com, which notably contained two 'i's to mimic the legitimate site.
1. Malicious Logic and Object Usage The script utilised several powerful Windows objects to facilitate the attack:
• internetexplorer.application: This was used by the get_questions function to "phone home" and download encoded data from the attacker’s server.
• wscript.net network: This object performed reconnaissance by enumerating the victim's computer name and username.
• wscript: This granted the HTA the power to launch PowerShell and execute the hidden malicious code silently.
2. Exfiltration and Obfuscation I found that the enumerated system data was exfiltrated via an HTTP GET method to a specific endpoint named /details. To evade detection, the malware employed layered obfuscation:
• Layer 1: The payload was encoded in Base64.
• Layer 2: The decoded string was then processed through a ROT13 shift (a formula shifting characters by 13 spaces).
• Layer 3: The final resulting script was executed directly in memory via PowerShell.
Key Learnings
• Living off the Land: Understanding how attackers use built-in Windows tools like mshta.exe to run malicious code while appearing legitimate.
• Social Engineering Patterns: Recognising how "prizes" (such as a trip to the South Pole) are used to entice users into running suspicious attachments.
• Multi-Step Deobfuscation: Learning to identify scripts that loop over characters to perform shifts, which is a classic indicator of ROT13 or similar encoding schemes.
-----------------------------------------------------------------------------------------
Analogy for HTA Malware: Think of a malicious HTA file like a wolf in sheep's clothing. To your computer, it looks like a simple, harmless text file or a web page (the sheep). However, once you let it into your house (execute it), it throws off the disguise and uses its "claws"—Windows system tools—to start taking control of the environment from the inside.
