Cybercriminals employ numerous tactics to infiltrate endpoints and scripts are among the most destructive.
You can trigger an infection chain by clicking on a seemingly innocuous document, potentially compromising your entire network.
To prevent this, analyzing suspicious files in malware analysis sandboxes is crucial. Here are some instances where they prove invaluable.
Decoding VBE Files
The contents of a VBE file VBE files are essentially encoded VBS scripts initially designed back in the day to safeguard intellectual property. As a result, it is impossible to view their source code without extra tools, hindering analysis and allowing detection evasion.
A decoded VBE file
However, uploading a VBE file to a proper sandbox service instantly reveals the decoded VBS script at play. It presents a full view of the script execution process, including its requested functions, transferred data, and commands.
Viewing Command Returns
The dir command A sandbox can also reveal the results of commands executed within scripts. In this example , the cmd process command line contains the command “dir,” yet it remains unknown what it returns.
The return of the command and additional information With the help of a sandbox, users can see the command’s output as well as download it for further analysis. This empowers analysts to fully comprehend the attacker’s actions and the potential harm caused.
Document
@import url('https://fonts.googleapis.com/css2?family=Poppins&display=swap');
@import url('https://fonts.googleapis.com/css2?family=Poppins&family=Roboto&display=swap');
*{
margin: 0; padding: 0;
text-decoration: none;
}
.container{
font-family: roboto, sans-serif;
width: 90%;
border: 1px solid lightgrey;
padding: 20px;
background: linear-gradient(2deg,#E0EAF1 100%,#BBD2E0 100%);
margin: 20px auto ;
border-radius: 40px 10px;
box-shadow: 5px 5px 5px #e2ebff;
}
.container:hover{
box-shadow: 10px 10px 5px #e2ebff;
}
.container .title{
color: #015689;
font-size: 22px;
font-weight: bolder;
}
.container .title{
text-shadow: 1px 1px 1px lightgrey;
}
.container .title:after {
width: 50px;
height: 2px;
content: ' ';
position: absolute;
background-color: #015689;
margin: 20px 8px;
}
.container h2{
line-height: 40px;
margin: 2px 0;
font-weight: bolder;
}
.container a{
color: #170d51;
}
.container p{
font-size: 18px;
line-height: 30px;
}
.container button{
padding: 15px;
background-color: #4469f5;
border-radius: 10px;
border: none;
background-color: #00456e ;
font-size: 16px;
font-weight: bold;
margin-top: 5px;
}
.container button:hover{
box-shadow: 1px 1px 15px #015689;
transition: all 0.2S linear;
}
.container button a{
color: white;
}
hr{
/* display: none; */
}
Any Run Interactive Sandbox
Use the ANY.RUN sandbox to unmask script-based attacks. .
Analyzing any suspicious attachment or URL in a free interactive malware sandbox like ANY.RUN can instantly provide you with a conclusive verdict.
Try 14 Days Free Trial
Observing Script Usage by Executables
A sandbox’s ability to track script-executable interactions is crucial in identifying malicious scripts that depend on executables for their functionality. This insight helps analysts detect and neutralize script-based malware by employing executable files as a launchpad for their malicious activities.
Scripts launched by executables
In the provided example , a malicious executable utilizes the Windows Management Instrumentation Command (WMIC) tool to load and execute a VBScript file. This approach allows the malware to conceal its true nature and manipulate the system without raising suspicion.
Analyzing VBS and JS-based Malware
WSHRAT’s query to “winmgmts:\localhost
ootSecurityCenter2″
A sandbox can streamline investigating VBS-based malware, saving a lot of time on extensive reverse engineering or debugging. This example shows the WSHRAT malware making a WMI query likely to check for all the installed antivirus solutions on the device.
You can try the full range of ANY.RUN’s capabilities completely for free by requesting 14 days of a free trial .
The post How Sandboxes Help Security Analysts Expose Script-Based Attacks appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform .
Top News
-
Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users
Hackers are targeting, attacking, and exploiting ML models. They want to hack into these systems to steal sensitive data, interrupt services, or...
-
U.K. Hacker Linked to Notorious Scattered Spider Group Arrested in Spain
Law enforcement authorities have allegedly arrested a key member of the notorious cybercrime group called Scattered Spider. The individual, a...
-
Lừa đảo đánh cắp mã OTP tinh vi, tấn công mạng tận dụng lỗ hổng mới
Xuất hiện lừa đảo đánh cắp mã OTP tinh vi; Hacker gia tăng tốc độ tận dụng các lỗ hổng mới,... là những thông tin công nghệ trong nước nổi bật...
-
Lừa đảo mạo danh ‘nở rộ’ trên không gian mạng và ngày càng tinh vi
Dù hình thức không mới song lừa đảo mạo danh hiện vẫn đang khiến nhiều người dân tại Việt Nam và trên thế giới sập bẫy, bị chiếm đoạt tài sản.
-
Sleepy Pickle - Kỹ thuật tấn công mới nhắm vào các mô hình học máy
Sleepy Pickle là một kỹ thuật tấn công mới lạ và bí mật nhắm vào chính mô hình ML (Machine Learning) thay vì hệ thống cơ bản. {...