Categories: MalwareWhat is

How Sandboxes Help Security Analysts Expose Script-Based Attacks

Cybercriminals employ numerous tactics to infiltrate endpoints and scripts are among the most destructive.

You can trigger an infection chain by clicking on a seemingly innocuous document, potentially compromising your entire network.

To prevent this, analyzing suspicious files in malware analysis sandboxes is crucial. Here are some instances where they prove invaluable.

Decoding VBE Files

The contents of a VBE file

VBE files are essentially encoded VBS scripts initially designed back in the day to safeguard intellectual property. As a result, it is impossible to view their source code without extra tools, hindering analysis and allowing detection evasion. 

A decoded VBE file

However, uploading a VBE file to a proper sandbox service instantly reveals the decoded VBS script at play. It presents a full view of the script execution process, including its requested functions, transferred data, and commands.

Viewing Command Returns

The dir command

A sandbox can also reveal the results of commands executed within scripts. In this example, the cmd process command line contains the command “dir,” yet it remains unknown what it returns. 

The return of the command and additional information

With the help of a sandbox, users can see the command’s output as well as download it for further analysis. This empowers analysts to fully comprehend the attacker’s actions and the potential harm caused.

Observing Script Usage by Executables

A sandbox’s ability to track script-executable interactions is crucial in identifying malicious scripts that depend on executables for their functionality. This insight helps analysts detect and neutralize script-based malware by employing executable files as a launchpad for their malicious activities.

Scripts launched by executables

In the provided example, a malicious executable utilizes the Windows Management Instrumentation Command (WMIC) tool to load and execute a VBScript file. This approach allows the malware to conceal its true nature and manipulate the system without raising suspicion.

Analyzing VBS and JS-based Malware

WSHRAT’s query to “winmgmts:\\\localhost\root\SecurityCenter2″

A sandbox can streamline investigating VBS-based malware, saving a lot of time on extensive reverse engineering or debugging. This example shows the WSHRAT malware making a WMI query likely to check for all the installed antivirus solutions on the device.

You can try the full range of ANY.RUN’s capabilities completely for free by requesting 14 days of a free trial

Cyber Writes

Work done by a Team Of Security Experts from Cyber Writes (www.cyberwrites.com) - World’s First Dedicated Content-as-a-Service (CaaS) Platform for Cybersecurity. For Exclusive Cyber Security Contents, Reach at: business@cyberwrites.com

Recent Posts

LightSpy iOS Malware Enhanced with 28 New Destructive Plugins

The LightSpy threat actor exploited publicly available vulnerabilities and jailbreak kits to compromise iOS devices.…

2 days ago

ATPC Cyber Forum to Focus on Next Generation Cybersecurity and Artificial Intelligence Issues

White House National Cyber Director, CEOs, Key Financial Services Companies, Congressional and Executive Branch Experts…

3 days ago

New PySilon RAT Abusing Discord Platform to Maintain Persistence

Cybersecurity experts have identified a new Remote Access Trojan (RAT) named PySilon. This Trojan exploits…

4 days ago

Konni APT Hackers Attacking Organizations with New Spear-Phishing Tactics

The notorious Konni Advanced Persistent Threat (APT) group has intensified its cyber assault on organizations…

4 days ago

Google Chrome Security, Critical Vulnerabilities Patched

Google has updated its Chrome browser, addressing critical vulnerabilities that posed potential risks to millions…

4 days ago

Notorious WrnRAT Delivered Mimic As Gambling Games

WrnRAT is a new malware attack that cybercriminals have deployed by using popular gambling games…

4 days ago