{"id":7853,"date":"2024-05-23T11:01:26","date_gmt":"2024-05-23T11:01:26","guid":{"rendered":"\/cybersecurity-blog\/?p=7853"},"modified":"2025-05-05T10:32:31","modified_gmt":"2025-05-05T10:32:31","slug":"malicious-scripts","status":"publish","type":"post","link":"\/cybersecurity-blog\/malicious-scripts\/","title":{"rendered":"Malicious Scripts: Examples and Analysis in ANY.RUN"},"content":{"rendered":"\n<p>When we talk about traditional malware, we&#8217;re usually referring to <strong>compiled malware<\/strong>. This means that the malware\u2019s source code is translated into machine language.&nbsp;<\/p>\n\n\n\n<p>Compilation happens when the computer takes human-readable code and converts it into instructions that the processor can understand, creating static files. For instance, it compiles <strong>C<\/strong> or <strong>C++ <\/strong>code into executable files like <strong>.exe<\/strong> or <strong>.dll <\/strong>for Windows.&nbsp;<\/p>\n\n\n\n<p>The first compiled malware, called Brain, was created way back in 1986. That&#8217;s ancient history in the world of information technology! Over the years, we&#8217;ve become very good at detecting this type of threat.&nbsp;<\/p>\n\n\n\n<p><strong>YARA rules <\/strong>and <strong>Signatures <\/strong>can be incredibly effective at spotting malicious code in executables.&nbsp;<\/p>\n\n\n\n<p>This doesn&#8217;t mean that compiled malware has become obsolete. <a href=\"https:\/\/any.run\/malware-trends\/mirai\" target=\"_blank\" rel=\"noreferrer noopener\">Mirai<\/a> (written in C) and&nbsp;<a href=\"https:\/\/any.run\/malware-trends\/formbook\" target=\"_blank\" rel=\"noreferrer noopener\">FormBook<\/a> (written in C++)&nbsp;are 3 examples of modern threats that fall into this bucket. But it has led attackers to invent something new.&nbsp;<\/p>\n\n\n\n<p>Enter <strong>malicious scripts and script-based malware<\/strong>.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nEasily analyze compiled and script-based malware <br>in <span class=\"highlight\">ANY.RUN<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malicious_scripts&#038;utm_term=230524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nCreate free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">What are malicious scripts?&nbsp;<\/h2>\n\n\n\n<p>Scripts<strong> <\/strong>have become increasingly popular in recent years, largely because they effectively evade&nbsp;traditional endpoint detection and are easy to obfuscate.&nbsp;<\/p>\n\n\n\n<p>Adversaries generally use them in one of two ways:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Add a script component that executes an attack step in compiled malware to execute a command or download a payload.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Create malware using a scripting language directly. An example is <a href=\"https:\/\/any.run\/malware-trends\/lu0bot\" target=\"_blank\" rel=\"noreferrer noopener\">Lu0bot<\/a>, which is written in Node.js.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Later in this article, we&#8217;ll look at case studies that analyze each type of threat, so keep reading!&nbsp;<\/p>\n\n\n\n<p>The table below shows examples of malware that&#8217;s written entirely using a scripting language:&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-96\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"4\"\n           data-rows=\"5\"\n           data-wpID=\"96\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Example\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Type\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"C1\"\n                    data-col-index=\"2\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Language\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"D1\"\n                    data-col-index=\"3\"\n                    data-row-index=\"0\"\n                    style=\" width:25%;                    padding:10px;\n                    \"\n                    >\n                                        Noteworthy for\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        WSHRAT\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RAT\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C2\"\n                    data-col-index=\"2\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JS\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D2\"\n                    data-col-index=\"3\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        A complex structure that uses numerous JS calls.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Lu0Bot\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Botnet\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C3\"\n                    data-col-index=\"2\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Node.js\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D3\"\n                    data-col-index=\"3\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Bundling with a NodeJS interpreter.\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        STRRAT\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        RAT\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C4\"\n                    data-col-index=\"2\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JS\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D4\"\n                    data-col-index=\"3\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Dropping a compiled Java-based malware, which unpacks during execution\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Jsoutprox\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Backdoor\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"C5\"\n                    data-col-index=\"2\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JS\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"D5\"\n                    data-col-index=\"3\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Being a script-based backdoor.\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-96'>\ntable#wpdtSimpleTable-96{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-96 td, table.wpdtSimpleTable96 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p>(<a href=\"https:\/\/any.run\/cybersecurity-blog\/lu0bot-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read our in-depth analysis of Lu0Bot \u2014 a malware that theoretically can do almost anything<\/a>).&nbsp;<\/p>\n\n\n\n<p>Scripts are written in interpreted programming languages, which means that the code is executed by an interpreter at runtime rather than being compiled into an executable file.&nbsp;<\/p>\n\n\n\n<p>Some of the most commonly used languages for script-based malware are <strong>JavaScript<\/strong> and <strong>PowerShell<\/strong>.&nbsp;<\/p>\n\n\n\n<p>Key characteristics of malicious scripts include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Fileless execution<\/strong>: Scripts can run in memory without leaving a significant trace on the infected system&#8217;s hard drive. For example, a malicious PowerShell script could use the <strong>Invoke-Expression cmdlet <\/strong>to download and execute a payload directly in memory, making it difficult for security software to detect it.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Living off the land<\/strong>: Scripts often use utilities already present in the OS. Think, JavaScript using the <strong>WMI<\/strong> (Windows Management Instrumentation) to query system data.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nDetect malware with <span class=\"highlight\">ANY.RUN<\/span> \u2014 even when it evades automated sandboxes&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malicious_scripts&#038;utm_term=230524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nTry it for free\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h2 class=\"wp-block-heading\">Types of scripts used by script-based malware&nbsp;<\/h2>\n\n\n\n<p>Scripts differ by their runtime environment, and this determines how attackers weaponize them. The table below breaks down the most common ones used in malware.&nbsp;<\/p>\n\n\n\n<div class=\"wpdt-c row wpDataTableContainerSimpleTable wpDataTables wpDataTablesWrapper\n\"\n    >\n        <table id=\"wpdtSimpleTable-97\"\n           style=\"border-collapse:collapse;\n                   border-spacing:0px;\"\n           class=\"wpdtSimpleTable wpDataTable\"\n           data-column=\"2\"\n           data-rows=\"8\"\n           data-wpID=\"97\"\n           data-responsive=\"0\"\n           data-has-header=\"1\">\n\n                    <thead>        <tr class=\"wpdt-cell-row \" >\n                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"A1\"\n                    data-col-index=\"0\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Scripting Language\u00a0                    <\/th>\n                                                <th class=\"wpdt-cell wpdt-bold\"\n                                            data-cell-id=\"B1\"\n                    data-col-index=\"1\"\n                    data-row-index=\"0\"\n                    style=\" width:50%;                    padding:10px;\n                    \"\n                    >\n                                        Execution Environment\u00a0                    <\/th>\n                                        <\/tr>\n                    <tbody>        <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A2\"\n                    data-col-index=\"0\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JavaScript\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B2\"\n                    data-col-index=\"1\"\n                    data-row-index=\"1\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Web browsers (e.g., Chrome, Firefox), Node.js runtime\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A3\"\n                    data-col-index=\"0\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        JScript\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B3\"\n                    data-col-index=\"1\"\n                    data-row-index=\"2\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows OS, Internet Explorer\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A4\"\n                    data-col-index=\"0\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        VBScript\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B4\"\n                    data-col-index=\"1\"\n                    data-row-index=\"3\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows OS, Microsoft Office applications (e.g., Word, Excel)\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A5\"\n                    data-col-index=\"0\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        PowerShell\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B5\"\n                    data-col-index=\"1\"\n                    data-row-index=\"4\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows OS, built-in Windows tool\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A6\"\n                    data-col-index=\"0\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Batch Scripts\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B6\"\n                    data-col-index=\"1\"\n                    data-row-index=\"5\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Windows OS, command-line interface\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A7\"\n                    data-col-index=\"0\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Shell Scripts (Bash)\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B7\"\n                    data-col-index=\"1\"\n                    data-row-index=\"6\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Unix\/Linux OS, command-line interface\u00a0                    <\/td>\n                                        <\/tr>\n                            <tr class=\"wpdt-cell-row \" >\n                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"A8\"\n                    data-col-index=\"0\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Python Scripts\u00a0                    <\/td>\n                                                <td class=\"wpdt-cell \"\n                                            data-cell-id=\"B8\"\n                    data-col-index=\"1\"\n                    data-row-index=\"7\"\n                    style=\"                    padding:10px;\n                    \"\n                    >\n                                        Cross-platform (Windows, macOS, Linux)\u00a0                    <\/td>\n                                        <\/tr>\n                    <\/table>\n<\/div><style id='wpdt-custom-style-97'>\ntable#wpdtSimpleTable-97{ table-layout: fixed !important; }\ntable#wpdtSimpleTable-97 td, table.wpdtSimpleTable97 th { white-space: normal !important; }\n<\/style>\n\n\n\n\n<p><a href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">Read our deep dive into UAC bypasses in Windows 11<\/a>, which includes exploiting COM interfaces, or a breakdown of <a href=\"https:\/\/any.run\/cybersecurity-blog\/macros-in-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">VBScript and how it&#8217;s used in macros (with real-world case-study)<\/a>.&nbsp;<\/p>\n\n\n\n<p>Not all scripts work right away on every machine. Some will run on a bare machine, while others need extra software.&nbsp;<\/p>\n\n\n\n<p><strong>PowerShell<\/strong>, <strong>batch scripts<\/strong>, <strong>VBScript<\/strong>, and <strong>JScript <\/strong>are natively supported on Windows, and <strong>shell scripts (Bash)<\/strong> are natively supported on Linux.&nbsp;&nbsp;<\/p>\n\n\n\n<p>Hackers can run them from the command prompt (or terminal in the case of Linux), from the PowerShell IDE, or by tricking the user into running the script by double-clicking the script files.&nbsp;<\/p>\n\n\n\n<p>Scripts that require a special runtime or additional software are <strong>JavaScript <\/strong>and <strong>Python<\/strong>. Browser-based JavaScript requires a web browser such as Chrome, Firefox, or Edge. <strong>Node.js<\/strong> programs require the Node.js server.&nbsp;<\/p>\n\n\n\n<p><strong>Python<\/strong> scripts are cross-platform but require the Python interpreter to be installed on Windows.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to analyze malicious scripts and script-based malware&nbsp;<\/h2>\n\n\n\n<p>When analyzing scripts, you have two main options:&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>Review the source code statically to understand how the script works. This involves examining the codebase line by line without executing it.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>Execute the script dynamically. You can use <strong>debuggers <\/strong>(x64dbg, IDA Pro) and <strong>script tracers <\/strong>to step through the execution, inspect variables, or run the script in a <strong>sandbox <\/strong>(<a href=\"http:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malicious_scripts&amp;utm_term=230524&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN<\/a>) to see what it does within the system.&nbsp;<\/li>\n<\/ol>\n\n\n\n<p>Sandboxing and scripting tend to be more effective than static code review \u2014 both for script-based malware and compiled malware that uses scripts somewhere in the attack chain. &nbsp;<\/p>\n\n\n\n<p>That\u2019s because reverse-engineering an obfuscated codebase is incredibly time-consuming (and we\u2019ll see why in the next chapter).&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Obfuscation and how to get around it&nbsp;<\/h2>\n\n\n\n<p><strong>When it comes to scripting languages, their interpretive nature allows malware authors to obfuscate the script directly at the source code level<\/strong>, instead of working at low-level assembly or machine code level, which can be quite challenging.&nbsp;<\/p>\n\n\n\n<p>To understand how powerful this anti-analysis tactic is, let&#8217;s take a dummy Python function and obfuscate it.&nbsp;<\/p>\n\n\n\n<p>Here&#8217;s a function that pretends to steal a browser session:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def steal_cookies(website): \n\n    cookies = get_cookies(website) \n\n    send_to_hacker(cookies) <\/code><\/pre>\n\n\n\n<p>First, we&#8217;ll rename variables and functions, and then we&#8217;ll encode strings by replacing the string literal with its hexadecimal representation:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def sc(w): \n\n    c = gc('\\x77\\x65\\x62\\x73\\x69\\x74\\x65') \n\n    sth(c) <\/code><\/pre>\n\n\n\n<p>We\u2019ll add some dummy code and pointless comments. It will make the code look like a bad intern wrote it.&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def sc(w): \n\n    # TODO: Implement error handling \n\n    x = 42 \n\n    c = gc('\\x77\\x65\\x62\\x73\\x69\\x74\\x65') \n\n    y = &#091;1, 2, 3] \n\n    sth(c) \n\n    # FIXME: Optimize performance <\/code><\/pre>\n\n\n\n<p>Let&#8217;s add another layer of complexity by introducing encoding and encryption. We can use a combination of <strong>base64<\/strong> encoding and <strong>ROT13<\/strong> encryption to obscure the original string.&nbsp;<\/p>\n\n\n\n<p>In this example, the base64-encoded string is decoded, and the result is passed through a ROT13 cipher before being sent to the <strong>sth <\/strong>function:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def sc(w): \n\n    x = 42 \n\n    c = gc(b64d('d2Vic2l0ZQ==').decode('utf-8')) \n\n    y = &#091;1, 2, 3] \n\n    sth(rot13(c)) <\/code><\/pre>\n\n\n\n<p>And, as a final sprinkle, let&#8217;s cram everything into one line:&nbsp;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>def sc(w):x=42;c=gc(b64d('d2Vic2l0ZQ==').decode('utf-8'));y=&#091;1,2,3];sth(rot13(c)) <\/code><\/pre>\n\n\n\n<p>Now, imagine that the source code has 1,000 lines, or more. Reverse engineering it would be like untangling a ball of spaghetti!&nbsp;<\/p>\n\n\n\n<p>It\u2019s not impossible, but <strong>In situations like this, it\u2019s more practical to focus on following the execution flow and observing what the program <\/strong><strong><em>does<\/em><\/strong><strong>, <\/strong>instead of getting bogged down in how the source code is written line by line.&nbsp;<\/p>\n\n\n\n<p>This is done with the help of <strong>script tracers<\/strong>, like the one that is built into ANY.RUN.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Analyzing Malicious Scripts in ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>We&#8217;ll look at two examples: a case study of a script-enhanced attack chain, and malware that is entirely script-based. We&#8217;ll see that Script Tracer is equally useful in both cases. &nbsp;<\/p>\n\n\n\n<p>So, let&#8217;s get started.\u00a0<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example \u21161. WSHRAT&nbsp;<\/h3>\n\n\n\n<p>WSHRAT is written in JS, and it&#8217;s an excellent example to illustrate how the script tracker works. Let\u2019s analyze <a href=\"https:\/\/app.any.run\/tasks\/dbf9c043-992b-4adf-b7d5-7fd633d4b379\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malicious_scripts&amp;utm_term=230524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this sample in ANY.RUN<\/a>.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"625\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-1024x625.png\" alt=\"\" class=\"wp-image-7854\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-1024x625.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-300x183.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-768x469.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-370x226.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-270x165.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2-740x452.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image-2.png 1219w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\">&nbsp;WSHRAT initiates an HTTP POST request<\/figcaption><\/figure><\/div>\n\n\n<p>The screenshot above shows that WSHRAT initiates an HTTP POST request to <strong>hxxp:\/\/harold.2waky[.]com:3609\/is-ready<\/strong>, where it transmits information about the infected operating system via the User-Agent header. &nbsp;<\/p>\n\n\n\n<p>It adds itself to the Start Menu for persistence \u2014 this way it will remain active after a system reboot. All of this information is gathered using our <a href=\"https:\/\/any.run\/cybersecurity-blog\/script-tracer\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>script tracer<\/strong><\/a>.&nbsp;<\/p>\n\n\n\n<p>(<a href=\"https:\/\/any.run\/malware-trends\/wshrat\" target=\"_blank\" rel=\"noreferrer noopener\">Learn more about WSHRAT malware in ANY.RUN Script Tracer<\/a>)&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example #2. FormBook which downloads an executable with PowerShell&nbsp;<\/h3>\n\n\n\n<p>FormBook, a compiled malware, uses a PowerShell for one of the stages of the attack in this example.&nbsp;<\/p>\n\n\n\n<p>PowerShell scripts can, essentially, write and execute new code on the fly, without ever saving it to disk.&nbsp;<\/p>\n\n\n\n<p>Script tracer deobfuscates these hidden interactions by running the code in a controlled system and recording every API call, function parameter and variable value.&nbsp;<\/p>\n\n\n\n<p>We\u2019ll analyze <a href=\"https:\/\/app.any.run\/tasks\/d58441df-fc26-4709-9728-bedd265f9b38\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malicious_scripts&amp;utm_term=230524&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">this FormBook sample<\/a> together to see how it works.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nFollow along with the example on ANY.RUN <span class=\"highlight\">for free<\/span>&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malicious_scripts&#038;utm_term=230524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nCreate a free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>When you open the recording of the analysis session in ANY.RUN, to access the script tracer, first click on the process you want to examine, and then on the <strong>More info <\/strong>button.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"566\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-1024x566.png\" alt=\"\" class=\"wp-image-7855\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-1024x566.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-300x166.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-768x425.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-1536x850.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-370x205.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-270x149.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3-740x409.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image2-3.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The <strong>Advanced details of a process <\/strong>window will open, and if the process contains a script, you&#8217;ll see a Script Tracer tab on the right. In our case, a <strong>PowerShell<\/strong> script was traced, so let&#8217;s click on that.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"569\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-1024x569.png\" alt=\"\" class=\"wp-image-7856\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-1024x569.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-300x167.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-768x426.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-370x205.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-270x150.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1-740x411.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image3-1.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The script tracer above shows a sequential recording of the call stack, and you can start looking from top to bottom to reconstruct every system action that took place while the script was running.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"345\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1024x345.png\" alt=\"\" class=\"wp-image-7857\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-1024x345.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-300x101.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-768x259.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-370x125.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-270x91.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4-740x249.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image4.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>At the very top, note the <strong>DownloadDataFromLinks<\/strong> function \u2014 it used a System object to download something from the internet.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"52\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5.png\" alt=\"\" class=\"wp-image-7858\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5.png 936w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5-300x17.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5-768x43.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5-370x21.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5-270x15.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image5-740x41.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>We see that the <strong>DownloadData(System.String)<\/strong> method took a single string parameter. This is a method of the <strong>System.Net.WebClient<\/strong> class in .NET, which takes a URI and downloads data as a byte array.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"468\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6.png\" alt=\"\" class=\"wp-image-7859\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6.png 936w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6-300x150.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6-768x384.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6-370x185.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6-270x135.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image6-740x370.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>The image above shows what happened next.&nbsp;<\/p>\n\n\n\n<ol start=\"1\" class=\"wp-block-list\">\n<li>The decoded binary data was passed to <strong>System.Text.UnicodeEncoding.GetString<\/strong>, which converted the binary data into a Unicode string\u2014this is the PowerShell command.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"2\" class=\"wp-block-list\">\n<li>The extracted data was decoded from base64 using the <strong>FromBase64String method<\/strong>, converting the Base64-formatted string back into an array of bytes.&nbsp;<\/li>\n<\/ol>\n\n\n\n<ol start=\"3\" class=\"wp-block-list\">\n<li>The <strong>BASE64_START <\/strong>and <strong>BASE64_END <\/strong>flags were used to extract the payload from the downloaded image.&nbsp;<\/li>\n<\/ol>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"936\" height=\"410\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7.png\" alt=\"\" class=\"wp-image-7860\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7.png 936w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7-300x131.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7-768x336.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7-370x162.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7-270x118.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image7-740x324.png 740w\" sizes=\"(max-width: 936px) 100vw, 936px\" \/><\/figure>\n\n\n\n<p>Notice the <strong>MZ <\/strong>signature in the tracer. It clearly identifies the decoded file as an executable.&nbsp;<\/p>\n\n\n\n<p>Now, let&#8217;s look at the parent process with <strong>PID 32<\/strong>:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"564\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-1024x564.png\" alt=\"\" class=\"wp-image-7861\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-1024x564.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-300x165.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-768x423.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-1536x846.png 1536w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-370x204.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-270x149.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8-740x407.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image8.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Here we can find the actual <strong>PowerShell command<\/strong>:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"46\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-1024x46.png\" alt=\"\" class=\"wp-image-7862\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-1024x46.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-300x13.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-768x34.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-370x17.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-270x12.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9-740x33.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/image9.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Click on the <strong>Info <\/strong>button to open it in the Static discovery window and see the whole command.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nAnalyze malware in <span class=\"highlight\">ANY.RUN<\/span> interactive cloud sandbox&nbsp;\n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=malicious_scripts&#038;utm_term=230524&#038;utm_content=linktoregistration#register\/\" rel=\"noopener\" target=\"_blank\">\nCreate a free account\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"621\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-1024x621.png\" alt=\"\" class=\"wp-image-7863\" srcset=\"\/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-1024x621.png 1024w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-300x182.png 300w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-768x466.png 768w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-370x224.png 370w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-270x164.png 270w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea-740x449.png 740w, \/cybersecurity-blog\/wp-content\/uploads\/2024\/05\/imagea.png 1430w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Wrapping up&nbsp;<\/h2>\n\n\n\n<p>Let\u2019s recap the main points.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Malicious scripts and script-based malware are written in interpreted programming languages and executed by an interpreter at runtime rather than being compiled. This allows fileless execution in memory and makes it harder to detect compared to traditional compiled malware.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Scripting languages make it easy to obfuscate malicious code by working at the source code level, rather than at the assembly or machine code level as compiled malware does.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The two main approaches to analyze malicious scripts are reviewing the source code or executing it dynamically and seeing what it does. Dynamic analysis with <strong>script tracers<\/strong> tends to be more effective than manually deobfuscating the code.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li>ANY.RUN has powerful tools bult-in for analyzing both script-based malware and compiled malware that leverages scripts. The built-in script tracer records API calls, function parameters, and variable values to reconstruct the malware&#8217;s behavior.&nbsp;<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;&nbsp;<\/h2>\n\n\n\n<p>ANY.RUN helps more than 400,000 cybersecurity professionals worldwide. Our interactive sandbox simplifies malware analysis of threats that target both Windows and Linux systems. Our threat intelligence products, <a href=\"https:\/\/any.run\/cybersecurity-blog\/introducing-any-run-threat-intelligence-lookup\/\" target=\"_blank\" rel=\"noreferrer noopener\">TI Lookup<\/a>, <a href=\"https:\/\/any.run\/cybersecurity-blog\/yara-search\/\" target=\"_blank\" rel=\"noreferrer noopener\">Yara Search<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/threat-intelligence-feeds\/\" target=\"_blank\" rel=\"noreferrer noopener\">Feeds<\/a>, help you find IOCs or files to learn more about the threats and respond to incidents faster.&nbsp;&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Advantages of ANY.RUN&nbsp;&nbsp;<\/h3>\n\n\n\n<p>ANY.RUN helps you analyze threats faster while improving detection rates. The platform detects common malware families with YARA and Suricata rules and identifies malware behavior with signatures when detection by family is not possible.&nbsp;<\/p>\n\n\n\n<p><strong>With ANY.RUN you can:<\/strong>&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Detect malware in under 40s.&nbsp;<\/li>\n\n\n\n<li>Interact with samples in real time.&nbsp;<\/li>\n\n\n\n<li>Save time and money on sandbox setup and maintenance&nbsp;<\/li>\n\n\n\n<li>Record and study all aspects of malware behavior.&nbsp;<\/li>\n\n\n\n<li>Collaborate with your team&nbsp;<\/li>\n\n\n\n<li>Scale as you need.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p>Let us give you an interactive presentation of ANY.RUN and show you how it can help your security team.<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/contact-us\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=malicious_scripts&amp;utm_term=230524&amp;utm_content=linktocontactus\" target=\"_blank\" rel=\"noreferrer noopener\">Get in touch with us \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>When we talk about traditional malware, we&#8217;re usually referring to compiled malware. This means that the malware\u2019s source code is translated into machine language.&nbsp; Compilation happens when the computer takes human-readable code and converts it into instructions that the processor can understand, creating static files. For instance, it compiles C or C++ code into executable [&hellip;]<\/p>\n","protected":false},"author":6,"featured_media":7865,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[57,10,34],"class_list":["post-7853","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-lifehacks","tag-anyrun","tag-cybersecurity","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Malicious Scripts: Examples and Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Learn how cyber attackers use malicious scripts, including PowerShell, VBScript, and JScript, and see how you can analyze them in ANY.RUN.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jack Zalesskiy and Stas Gaivoronskii\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\n\t    \"@context\": \"https:\/\/schema.org\",\n\t    \"@graph\": [\n\t        {\n\t            \"@type\": \"Article\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#article\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\"\n\t            },\n\t            \"author\": {\n\t                \"name\": \"Jack Zalesskiy and Stas Gaivoronskii\",\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"headline\": \"Malicious Scripts: Examples and Analysis in ANY.RUN\",\n\t            \"datePublished\": \"2024-05-23T11:01:26+00:00\",\n\t            \"dateModified\": \"2025-05-05T10:32:31+00:00\",\n\t            \"mainEntityOfPage\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\"\n\t            },\n\t            \"wordCount\": 1947,\n\t            \"commentCount\": 0,\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"keywords\": [\n\t                \"ANYRUN\",\n\t                \"cybersecurity\",\n\t                \"malware analysis\"\n\t            ],\n\t            \"articleSection\": [\n\t                \"Cybersecurity Lifehacks\"\n\t            ],\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"CommentAction\",\n\t                    \"name\": \"Comment\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#respond\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebPage\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\",\n\t            \"url\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\",\n\t            \"name\": \"Malicious Scripts: Examples and Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"isPartOf\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"datePublished\": \"2024-05-23T11:01:26+00:00\",\n\t            \"dateModified\": \"2025-05-05T10:32:31+00:00\",\n\t            \"description\": \"Learn how cyber attackers use malicious scripts, including PowerShell, VBScript, and JScript, and see how you can analyze them in ANY.RUN.\",\n\t            \"breadcrumb\": {\n\t                \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#breadcrumb\"\n\t            },\n\t            \"inLanguage\": \"en-US\",\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"ReadAction\",\n\t                    \"target\": [\n\t                        \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/\"\n\t                    ]\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"BreadcrumbList\",\n\t            \"@id\": \"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#breadcrumb\",\n\t            \"itemListElement\": [\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 1,\n\t                    \"name\": \"Home\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 2,\n\t                    \"name\": \"Cybersecurity Lifehacks\",\n\t                    \"item\": \"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/\"\n\t                },\n\t                {\n\t                    \"@type\": \"ListItem\",\n\t                    \"position\": 3,\n\t                    \"name\": \"Malicious Scripts: Examples and Analysis in ANY.RUN\"\n\t                }\n\t            ]\n\t        },\n\t        {\n\t            \"@type\": \"WebSite\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN&#039;s Cybersecurity Blog\",\n\t            \"description\": \"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\n\t            \"publisher\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"potentialAction\": [\n\t                {\n\t                    \"@type\": \"SearchAction\",\n\t                    \"target\": {\n\t                        \"@type\": \"EntryPoint\",\n\t                        \"urlTemplate\": \"https:\/\/any.run\/?s={search_term_string}\"\n\t                    },\n\t                    \"query-input\": \"required name=search_term_string\"\n\t                }\n\t            ],\n\t            \"inLanguage\": \"en-US\"\n\t        },\n\t        {\n\t            \"@type\": \"Organization\",\n\t            \"@id\": \"https:\/\/any.run\/\",\n\t            \"name\": \"ANY.RUN\",\n\t            \"url\": \"https:\/\/any.run\/\",\n\t            \"logo\": {\n\t                \"@type\": \"ImageObject\",\n\t                \"inLanguage\": \"en-US\",\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"contentUrl\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\n\t                \"width\": 1,\n\t                \"height\": 1,\n\t                \"caption\": \"ANY.RUN\"\n\t            },\n\t            \"image\": {\n\t                \"@id\": \"https:\/\/any.run\/\"\n\t            },\n\t            \"sameAs\": [\n\t                \"https:\/\/www.facebook.com\/www.any.run\/\",\n\t                \"https:\/\/twitter.com\/anyrun_app\",\n\t                \"https:\/\/www.linkedin.com\/company\/30692044\",\n\t                \"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"\n\t            ]\n\t        },\n\t        [\n\t            {\n\t                \"@type\": [\n\t                    \"Person\"\n\t                ],\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"name\": \"Jack Zalesskiy\",\n\t                \"image\": {\n\t                    \"@type\": \"ImageObject\",\n\t                    \"@id\": \"https:\/\/any.run\/\",\n\t                    \"inLanguage\": \"en_US\",\n\t                    \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp\",\n\t                    \"caption\": \"Jack Zalesskiy\"\n\t                }\n\t            },\n\t            {\n\t                \"@type\": [\n\t                    \"Person\"\n\t                ],\n\t                \"@id\": \"https:\/\/any.run\/\",\n\t                \"name\": \"Stas Gaivoronskii\",\n\t                \"image\": {\n\t                    \"@type\": \"ImageObject\",\n\t                    \"@id\": \"https:\/\/any.run\/\",\n\t                    \"inLanguage\": \"en_US\",\n\t                    \"url\": \"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png\",\n\t                    \"caption\": \"Stas Gaivoronskii\"\n\t                }\n\t            }\n\t        ]\n\t    ]\n\t}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malicious Scripts: Examples and Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","description":"Learn how cyber attackers use malicious scripts, including PowerShell, VBScript, and JScript, and see how you can analyze them in ANY.RUN.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/","twitter_misc":{"Written by":"Jack Zalesskiy and Stas Gaivoronskii","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/"},"author":{"name":"Jack Zalesskiy and Stas Gaivoronskii","@id":"https:\/\/any.run\/"},"headline":"Malicious Scripts: Examples and Analysis in ANY.RUN","datePublished":"2024-05-23T11:01:26+00:00","dateModified":"2025-05-05T10:32:31+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/"},"wordCount":1947,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware analysis"],"articleSection":["Cybersecurity Lifehacks"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/","url":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/","name":"Malicious Scripts: Examples and Analysis in ANY.RUN - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2024-05-23T11:01:26+00:00","dateModified":"2025-05-05T10:32:31+00:00","description":"Learn how cyber attackers use malicious scripts, including PowerShell, VBScript, and JScript, and see how you can analyze them in ANY.RUN.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/malicious-scripts\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity Lifehacks","item":"https:\/\/any.run\/cybersecurity-blog\/category\/lifehacks\/"},{"@type":"ListItem","position":3,"name":"Malicious Scripts: Examples and Analysis in ANY.RUN"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},[{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Jack Zalesskiy","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/image1-min-1-1-1-1-150x150.webp","caption":"Jack Zalesskiy"}},{"@type":["Person"],"@id":"https:\/\/any.run\/","name":"Stas Gaivoronskii","image":{"@type":"ImageObject","@id":"https:\/\/any.run\/","inLanguage":"en_US","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/09\/Stasphoto-150x150.png","caption":"Stas Gaivoronskii"}}]]}},"_links":{"self":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7853"}],"collection":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=7853"}],"version-history":[{"count":4,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7853\/revisions"}],"predecessor-version":[{"id":13266,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/7853\/revisions\/13266"}],"wp:featuredmedia":[{"embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/7865"}],"wp:attachment":[{"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=7853"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=7853"},{"taxonomy":"post_tag","embeddable":true,"href":"\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=7853"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}