Hello and welcome to the Tuesday, April 11, 2023 edition of the Sansonet Stormer's Stormcast.

My name is Johannes Ulrich and today I'm recording from Jacksonville, Florida.

Today we got the second part of DDA's ongoing series about analyzing malicious HTA files.

HTA, that's HTML application.

It's sort of a Microsoft thing, but really what it is.

It's an archive of a web page, HTML page, and JavaScript and such,

essentially to sort of create self-contained complete copies

of an HTML5 application.

But as with so many things, it can be abused maliciously, in particular the JavaScript that's

loaded here, and that's sort of what the D.D.D.A. is going after. In the first part, he sort of showed how to take apart the HTA file.

And today it's about how to analyze the script that was then actually loaded, in this case,

a malicious PowerShell script.

The script itself was encrypted using AES, but as so often with this kind of malware, the encryption here was really more an obfuscation in that the key was part of the file.

And then, yeah, ECB mode was used for EES, which of course isn't great but perfectly adequate.

Of course, if you're delivering the key with the payload anyway. Like I said,

really more kind of an obfuscation here, and DDA is going over how to then decrypt the payload.

You also have to unsip it yet again, and then sort of how to further analyze and extract the resulting script.

In the end, we get to a bad file that's being downloaded from a website, so that

URL is the price of essentially decrypting and then further decoding the resulting

PowerShell script.

And I'm sure that he will tell us in a later episode what this particular bad file does.

And on Friday, I talked about Apple releasing patches for two Saturday vulnerabilities.

...