File name:

jargon.vbs

Full analysis: https://app.any.run/tasks/688210b5-c81a-4bb3-9c5a-9825b3da87f2
Verdict: Malicious activity
Analysis date: June 11, 2024, 16:39:49
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-setupscript
File info: Microsoft Windows Autorun file
MD5:

524D38B7488A490C0A93A2D248CA05C3

SHA1:

3C4CC4519601C041B9403D3B2DB9F0B763C65BD3

SHA256:

15A7F28FD3E63122D328F8057CBD57FF82125A24F66C7D6A32DC267558D0A0E1

SSDEEP:

48:aA+OkuYnQ32DikIqF9u5wiUqAOyCy0AIu0iRl/RlKRlJSTutk/:aAFkXbGb+A5OD0hiRtRgRDSTutC

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Gets path to any of the special folders (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Modifies registry startup key (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Creates a new registry key or changes the value of an existing one (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Gets a file object corresponding to the file in a specified path (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Uses sleep, probably for evasion detection (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

  • SUSPICIOUS

    • Creates FileSystem object to access computer's file system (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Reads data from a binary Stream object (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Writes binary data to a Stream object (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Gets full path of the running script (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Checks whether a specific file exists (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Reads the Internet Settings

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • The process executes VB scripts

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Checks whether the drive is ready (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Application launched itself

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Gets a collection of all available drive names (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

    • Gets the drive type (SCRIPT)

      • wscript.exe (PID: 3984)
      • wscript.exe (PID: 928)

  • INFO

    • Manual execution by a user

      • wscript.exe (PID: 928)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
36
Monitored processes
4
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start wscript.exe no specs wscript.exe no specs wscript.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
928"C:\Windows\System32\WScript.exe" "C:\Users\admin\Desktop\jargon.vbs" C:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1064"C:\Windows\System32\wscript.exe" "C:\Windows\jargon.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
3984"C:\Windows\System32\WScript.exe" C:\Users\admin\Desktop\jargon.vbsC:\Windows\System32\wscript.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
4052"C:\Windows\System32\wscript.exe" "C:\Windows\jargon.vbs"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
2 041
Read events
2 002
Write events
18
Delete events
21

Modification events

(PID) Process:(3984) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:autoMe
Value:
wscript.exe "C:\Windows\jargon.vbs"
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:delete valueName:Hidden
Value:

(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:delete valueName:HideFileExt
Value:
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:delete valueName:ShowSuperHidden
Value:
(PID) Process:(3984) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Operation:delete valueName:Hidden
Value:
(PID) Process:(928) wscript.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:autoMe
Value:
wscript.exe "C:\Windows\jargon.vbs"
Executable files
0
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

No data
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
2
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
unknown
4
System
192.168.100.255:138
whitelisted

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
jargon.vbs