Analyzing a Cobalt Strike Downloader Script Using CyberChef

“`html

Short Summary

This article discusses the decoding process of a .HTA script linked to the Cobalt Strike toolkit, focusing on the methods of obfuscation used, including Base64URL encoding and excessive spacing. The analysis demonstrates how to decode the script using tools like CyberChef and regular expressions to clean up the code for further examination.

Key Points

  • The article analyzes a .HTA script found on Malware Bazaar associated with the Cobalt Strike toolkit.
  • Basic obfuscation techniques such as Base64URL encoding and excessive spacing are employed in the script.
  • CyberChef is used to decode the URL encoded content in multiple layers.
  • Regular expressions are utilized to remove excessive whitespace for better readability.
  • The decoded script reveals a downloader function using URLDownloadToFile.
  • The next stage file’s URL is identified as http://198.46[.]178.144/morningfiledatinglover[.]vbs.

MITRE ATT&CK TTPs – created by AI

  • Command and Control – T1071
    • Use of HTTP for command and control communication.
  • Data Obfuscation – T1001
    • Use of encoding techniques like Base64 and URL encoding to obfuscate data.
  • Remote File Copy – T1105
    • Downloading files from a remote server using URLDownloadToFile.

“`Decoding a Cobalt Strike Downloader Script With CyberChef

Introduction

We recently encountered a short .HTA script on Malware Bazaar that was linked to the Cobalt Strike toolkit.

The script utilises basic obfuscation that can be removed using CyberChef and a text editor. This blog will cover our decoding process, including how to decode the following obfuscation methods

  • Base64
  • URL Encoding
  • Excessive Spacing

Original File

The file used for this analysis can be found on Malware Bazaar at the following link.

2807199adde4730e5e89c5f0ed3d48380dac746a44fa1e5fe0ca0186743a97e0

Analysis

The .HTA file in it's initial state contains a small amount of HTML followed by a large batch of URL encoded characters.

Decoding a Cobalt Strike Downloader Script With CyberChef

The first step to decoding the URL encoded content is to use a tool like CyberChef and the URL Decode operation.

As can be seen below, this decodes the content but reveals another layer of URL encoding.

Decoding a Cobalt Strike Downloader Script With CyberChef

The second layer of URL encoding can be resolved with another URL Decode operation.

Applying the filter again removes the last of the URL encoding.

Decoding a Cobalt Strike Downloader Script With CyberChef

The content can now be moved back to a text editor for additional analysis.

Although the script is removed of URL encoding, the script now employs blobs of spaces to hinder analysis. This can be seen in the screenshot below.

Decoding a Cobalt Strike Downloader Script With CyberChef

The spacing can be removed manually by highlighting and deleting, but a more efficient means is to use a regular expression to remove occurrences of two or more whitespace characters s

By performing a search and replace with the ss+ query, we can see the excessive spacing is highlighted and matched correctly.

Decoding a Cobalt Strike Downloader Script With CyberChef

By specifying a replace value of a single space, the content can be cleaned up significantly.

The script content can now fit easily into a single screenshot.

Decoding a Cobalt Strike Downloader Script With CyberChef

A large blob of base64 content can be seen in the resulting content. This is alongside the key giveaway of frombase64string with random upper and lower casing.

Decoding a Cobalt Strike Downloader Script With CyberChef

The base64 blob can be copied and decoded in CyberChef using From Base64

Decoding a Cobalt Strike Downloader Script With CyberChef

The resulting content contains more excessive spacing. The same regular expression technique as before can be re-applied to fix this.

Below we can see the From Base64 operation and the removal of excessive spacing via regex.

Decoding a Cobalt Strike Downloader Script With CyberChef

After the spacing is removed, it becomes clear that the code is a downloader utilising the URLDownloadToFile function.

The address of the next stage file is also clearly visible, and contains the value http://198.46[.]178.144/morningfiledatinglover[.]vbs

Decoding a Cobalt Strike Downloader Script With CyberChef

Source: Original Post