How to Analyze Malicious Scripts in a Sandbox

Scripting languages are a common tool for automating tasks in Windows environments. The widespread use, however, makes them a prime candidate for exploitation by threat actors. To expose malicious scripts and reveal their purpose, we can use malware sandboxes like ANY.RUN. Let’s explore different types of scripts and see how you can analyze them yourself.

VBScript: Administrative Tool Abuse

VBScript is a scripting language based on Visual Basic (VB), which is extensively used for automating tasks. It is pre-installed on Windows systems and is commonly used for system administration. One way threat actors can leverage VBScript is to modify the Windows registry to disable security features, redirect system functions, or cause system instability.

VBE files are encoded VBScript files that threat actors employ as one of the means of complicating the analysis process and getting around detection.

Analysis of a VBScript Attack in a Sandbox

Script files are often obfuscated, making them unreadable. ANY.RUN’s Script Tracer feature allows us to look inside these scripts by logging their execution.

The “wscript” process with PID 2176

In this interactive session, we can open the wscript process with PID 2176 and observe the function entry and function exit, with the function parameters displayed in between. The functions’ entry and exit are connected by a line.

VBScript script function displayed between the Call (entry) and Return (exit)

In this script, we see the use of the MSXML2.XMLHTTP object to request data from “hxxps://paste[].ee/d/oDKFW”. The response contains a PowerShell script which is then executed.

Try analyzing malware and other threats in ANY.RUN.

 

Sign up for a free account!

JScript: Exploited Scripting Language

JScript is a scripting language developed by Microsoft. It is based on the ECMAScript specification and supported by Windows Script Host (WSH), a tool that allows users to run scripts on Windows operating systems. Attackers often abuse it in their malicious campaigns.

Analysis of a JScript Attack in a Sandbox

To demonstrate a JScript attack, let’s analyze a sample of the WSHRat malware.

The sandbox shows how the malware WMI query to “winmgmts:\\\localhost\root\SecurityCenter2″ checks for the presence of antivirus solutions installed on the system.

WMI query identifying antivirus solutions on the device

For analysts’ convenience, the sandbox indicates such malicious activities using special signatures that can be found in the details window of every process.

Signatures pointing to the WSHRAT activities

VBA: Macros as Malware Launchers

Visual Basic for Applications (VBA) is an implementation of Microsoft’s Visual Basic 6 that was introduced as a substitution for Excel 4.0 and other scripting languages found in early versions of Office applications. Like its predecessor, it is now being used by attackers to download and execute malware. It is also commonly employed to evade detection.

Threat actors frequently obfuscate VBA macros to make it more difficult for analysts to make sense of their purpose, as well as to prevent security solutions from detecting malicious code.

Analysis of VBA Macros in a Sandbox

The malicious script displayed in the ANY.RUN sandbox

In this sandbox session, we can see a malicious VB script that was executed with a network request to download a file from a remote server.

The downloaded file was then saved to the Printer Shortcuts directory on the local machine. This type of attack can be particularly dangerous as it allows an attacker to gain unauthorized access to a system.

PowerShell: The New Vector in Scripting Attacks

PowerShell is the next step in the evolution of scripting languages for Windows systems. It is a tool that features a command-line shell designed to assist system administrators in their work. Thanks to its ability to execute commands and scripts on Windows systems, it has not been ignored by malicious actors.

Malware authors can use PowerShell to perform a wide range of malicious activities, including downloading and executing additional payloads and stealing sensitive data. PowerShell scripts can also be used to create persistence on compromised systems, allowing threat actors to maintain access to the system after the infection.

Analysis of a PowerShell Script in a Sandbox

In this session, we can observe the execution of a PowerShell script step by step:

  1. The ID 6104 process shows the functions displayed in sequence.
  2. The DownloadDataFromLinks function downloads data from given URLs.
  3. The DownloadData(System.String) method from the System.Net.WebClient class takes a single string parameter (URI) to download data
  4. The decoded binary data is passed to System.Text.UnicodeEncoding.GetString to convert binary data into a Unicode string, representing the actual PowerShell command.
  5. The extracted data is decoded from base64 using the FromBase64String method, converting the Base64-formatted string back into an array of bytes.

The BASE64_START and BASE64_END flags are used to extract the payload from the downloaded image.

  1. We then can identify the decoded file as an executable payload, indicated by the MZ signature in the tracer.
  2. By returning to the ID 32 parent process, the PowerShell command becomes visible.
  3. To study it in detail, we can click the “Info” button.

Analyze Scripts in ANY.RUN Sandbox

Script analysis is an essential part of any SOC professional’s routine these days. By examining scripts, they can gain insights into the tactics, techniques, and procedures (TTPs) used by attackers, which can help them improve their organization’s overall security posture.

ANY.RUN is a cloud-based sandbox that provides advanced tools for in-depth analysis of cyber threats. Script investigations are just one of the possible scenarios where the service can be effectively used by analysts to study attacks.

By using ANY.RUN, you get access to:

  • Fully interactive Windows and Linux VMs.
  • Detailed analysis of malicious network traffic, TTPs, registry activities, processes, and more.
  • Fast malware detection in under 40 seconds.
  • Comprehensive reports with IOCs.

Sign up for a free ANY.RUN account to analyze threats with no limit.

Related posts

How to Improve Your Cyber Resilience by Strengthening User Privileges

The Dark Side of Viral Content: How Negative Reviews Can Snowball

Testing Gaming Monetization: Walking the Line Between Profit and Player Experience