MAS_1.4_AIO-ZH_TW.cmd
This report is generated from a file or URL submitted to this webservice on July 26th 2021 09:55:45 (UTC)
Guest System: Windows 7 32 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.48.10 © Hybrid Analysis
Incident Response
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 2
-
Installation/Persistence
-
Found an indicator for a scheduled task trigger
- details
-
"un_Once</URI>
<SecurityDescriptor>D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFX;;;LS)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<LogonTrigger>
<Enabled>true</Enabled>
</LogonTrigger>
</Triggers>
<Principals>
<Principal id="LocalSystem">
<UserId>S-1-5-18</UserId>
<RunLevel>HighestAvailable</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>IgnoreNew</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStar" (Indicator: "LogonTrigger"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin") - source
- File/Memory
- relevance
- 5/10
- ATT&CK ID
- T1168 (Show technique in the MITRE ATT&CK™ matrix)
-
Found an indicator for a scheduled task trigger
-
System Security
-
References security related windows services
- details
-
"\]" %Red%
)
::========================================================================================================================================
echo:
set _1=ClipSVC
set _2=wlidsvc
set _3=sppsvc
set _4=wuauserv
for %%# in (%_1% %_2% %_3% %_4%) do call :DL_ServiceCheck %%#
set "CLecho=" (Indicator: "wuauserv") - source
- File/Memory
- relevance
- 7/10
- ATT&CK ID
- T1044 (Show technique in the MITRE ATT&CK™ matrix)
-
References security related windows services
-
Suspicious Indicators 5
-
Environment Awareness
-
Found a reference to a WMI query string known to be used for VM detection
- details
-
".
goto MASend
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
set "batf_=%~f0"
set "batp_=%batf_:'=''%"
%_null% reg query HKU\S-1-5-19 && (
goto :_Passed
) || (
if defined _elev goto :_E_Admin
)
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), "Windows 10.
goto DL_Done
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :DL_Passed
) || (
if defined _elev goto :DL_E_Admin
)
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Proc" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), ".
echo Project is supported only for Windows 10 / Server - 1607 [14393] and later builds.
goto K38_Done
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :K38_Passed
) || (
if defined _elev goto :K38_E_Admin
)
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdl" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin")
"proc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :K38_E_Admin
)
)
exit /b
:K38_E_Admin
%ELine%
echo" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), ".
goto Done
)
::========================================================================================================================================
:: Fix for the special characters limitation in path name
:: Written by @abbodi1406
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :Passed
) || (
if defined _elev goto :E_Admin
)
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.Proces" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin")
"sId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :E_Admin
)
)
exit /b
:E_Admin
%ELine%
if "!_batf!"=="%ProgramData%\Online_KMS_Activation\Activate.cmd" (
echo" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), "al EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :E_Admin
)
)
exit" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), "echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin"), "echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)" (Indicator: "win32_process"; File: "6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c.cmd.bin") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a reference to a WMI query string known to be used for VM detection
-
General
-
Found a potential E-Mail address in binary/memory
- details
-
Pattern match: "behj@j0euir4_.6"
Pattern match: "0mq5a8@k_e.05h"
Pattern match: "0zi@mm9kahxdbnfa1i9.v"
Pattern match: "z-0hrgek7m@x.njp3u"
Pattern match: "rjwizk@c.ukbzxyd"
Pattern match: "j9u@xv.3e"
Pattern match: "ek98rt@a.za"
Pattern match: "y@wxev3_zh.cclvu"
Pattern match: "htdqr@-z2pxupoy_h.u1"
Pattern match: "uwfhcbdl9@3y5mohu.sz"
Pattern match: "s_@vxgbi.f"
Pattern match: "z@9.l"
Pattern match: "mq@mx.4e7jr"
Pattern match: "_@kxoj.gskgh"
Pattern match: "_zu.k0ba8k@bz.y"
Pattern match: "o90qdgdit@doktw.e"
Pattern match: "lbl6qb@r-.hiy96ssrmd0ycuqvvhz6tyw"
Pattern match: "idpltbo@f.i"
Pattern match: "egr@rmuv.8"
Pattern match: "o@4rjdkvw.8" - source
- File/Memory
- relevance
- 3/10
- ATT&CK ID
- T1114 (Show technique in the MITRE ATT&CK™ matrix)
-
Found a potential E-Mail address in binary/memory
-
Network Related
-
Found potential IP address in binary/memory
- details
-
Potential IP "127.0.0.2" found in string "127.0.0.2] ["
"127.0.0.2"
Potential IP "127.0.0.2" found in string "- Why is the script setting the specific KMS host to 127.0.0.2 (localhost)?"
Potential IP "127.0.0.2" found in string "- Set specific KMS host to 127.0.0.2 [Localhost] with the following command: (Run one by one)"
Potential IP "127.0.0.2" found in string "wmic path %spp% where ID='%app%' call SetKeyManagementServiceMachine MachineName="127.0.0.2""
Potential IP "127.0.0.2" found in string "Another fact is that if LocalHost (127.0.0.2) is defined as KMS IP in the Windows 8.1 and 10 OS's"
Potential IP "127.0.0.2" found in string "- Set that Windows edition specific KMS IP to LocalHost (127.0.0.2),"
Potential IP "127.0.0.1" found in string "if %winbuild% LSS 7600 (ping -n 3 127.0.0.1 > nul) else (timeout /t 3)" - source
- File/Memory
- relevance
- 3/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains indicators of bot communication commands
- details
-
"timeout /t 30 >nul
set /a loop=%loop%+1
goto repeat
:IntConnected
if defined KMS_Server (
echo:
set "KMS_IP=%KMS_Server%"
set /a online_server_count=1
set /a activation_ok=1
goto gotserv
)
:: Primary servers randomization
:: Thanks to @abbodi1406
set "srvpri="
set "srvsec="
set "srvpri=%srvpri%kms.srv.cr"
set "srvpri=%srvpri%soo.com"
set "srvpri=%srvpri% kms.lol"
set "srvpri=%srvpri%i.beer"
set "srvpri=%srvpri% kms8.MSGu"
set "srvpri=%srvpri%ides.com"
set "srvsec=%srvsec% kms9.MSGui"
set "srvsec=%srvsec%des.com"
set "srvsec=%srvsec% kms.zhuxi"
set "srvsec=%srvsec%aole.org"
set "srvsec=%srvsec% kms.lol"
set "srvsec=%srvsec%ico.moe"
set "srvsec=%srvsec% kms.moec"
set "srvsec=%srvsec%lub.org"
set n=1
for %%a in (%srvpri%) do (set server!n!=%%a&set /a n+=1)
for %%a in (%srvsec%) do (set server!n!=%%a&set /a n+=1)
set /a max_servers=n-1
set /a srvpri_num=1
set /a server_num=1
set /a online_server_count=0
echo:
:server
if %online_server_count% equ 2 (
%EchoR" (Indicator: "servers=") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1094 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains references to WMI/WMIC
- details
-
".
goto MASend
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
set "batf_=%~f0"
set "batp_=%batf_:'=''%"
%_null% reg query HKU\S-1-5-19 && (
goto :_Passed
) || (
if defined _elev goto :_E_Admin
)
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If" (Indicator: "root\cimv2"), "Windows 10.
goto DL_Done
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :DL_Passed
) || (
if defined _elev goto :DL_E_Admin
)
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Proc" (Indicator: "root\cimv2"), ".
echo Project is supported only for Windows 10 / Server - 1607 [14393] and later builds.
goto K38_Done
)
::========================================================================================================================================
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :K38_Passed
) || (
if defined _elev goto :K38_E_Admin
)
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdl" (Indicator: "root\cimv2")
"proc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :K38_E_Admin
)
)
exit /b
:K38_E_Admin
%ELine%
echo" (Indicator: "root\cimv2"), ".
goto Done
)
::========================================================================================================================================
:: Fix for the special characters limitation in path name
:: Written by @abbodi1406
set "_batf=%~f0"
set "_vbsf=%temp%\admin.vbs"
set _PSarg="""%~f0""" -el
if defined _args set _PSarg="""%~f0""" -el """%_args%"""
setlocal EnableDelayedExpansion
:: Elevate script as admin and pass arguments and preventing loop
:: Thanks to @hearywarlot [ https://forums.mydigitallife.net/threads/.74332/ ] for the VBS method.
:: Thanks to @abbodi1406 for the powershell method and solving special characters issue in file path name.
%nul% reg query HKU\S-1-5-19 && (
goto :Passed
) || (
if defined _elev goto :E_Admin
)
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.Proces" (Indicator: "root\cimv2")
"sId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :E_Admin
)
)
exit /b
:E_Admin
%ELine%
if "!_batf!"=="%ProgramData%\Online_KMS_Activation\Activate.cmd" (
echo" (Indicator: "root\cimv2"), "al EnableDelayedExpansion
(
echo Set strArg=WScript.Arguments.Named
echo Set strRdlproc = CreateObject^("WScript.Shell"^).Exec^("rundll32 kernel32,Sleep"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)
echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)
echo If InStr ^(.CommandLine, WScript.ScriptName^) ^<^> 0 Then
echo strLine = Mid^(.CommandLine, InStr^(.CommandLine , "/File:"^) + Len^(strArg^("File"^)^) + 8^)
echo End If
echo End With
echo .Terminate
echo End With
echo CreateObject^("Shell.Application"^).ShellExecute "cmd.exe", "/c " ^& chr^(34^) ^& chr^(34^) ^& strArg^("File"^) ^& chr^(34^) ^& strLine ^& chr^(34^), "", "runas", 1
)>"!_vbsf!"
(%nul% cscript //NoLogo "!_vbsf!" /File:"!_batf!" -el "!_args!") && (
del /f /q "!_vbsf!"
exit /b
) || (
del /f /q "!_vbsf!"
%nul% %_psc% "start cmd.exe -arg '/c \"!_PSarg:'=''!\"' -verb runas" && (
exit /b
) || (
goto :E_Admin
)
)
exit" (Indicator: "root\cimv2"), "echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& strRdlproc.ProcessId ^& "'"^)" (Indicator: "root\cimv2"), "echo With GetObject^("winmgmts:\\.\root\CIMV2:Win32_Process.Handle='" ^& .ParentProcessId ^& "'"^)" (Indicator: "root\cimv2") - source
- File/Memory
- relevance
- 10/10
- ATT&CK ID
- T1047 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains indicators of bot communication commands
-
Informative 10
-
Environment Awareness
-
Reads the active computer name
- details
- "wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the cryptographic machine GUID
- details
- "wscript.exe" (Path: "HKLM\SOFTWARE\MICROSOFT\CRYPTOGRAPHY"; Key: "MACHINEGUID")
- source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads the active computer name
-
External Systems
-
Sample was identified as clean by Antivirus engines
- details
- 0/58 Antivirus vendors marked sample as malicious (0% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as clean by Antivirus engines
-
General
-
Reads Windows Trust Settings
- details
- "wscript.exe" (Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\WINTRUST\TRUST PROVIDERS\SOFTWARE PUBLISHING"; Key: "STATE")
- source
- Registry Access
- relevance
- 5/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads Windows Trust Settings
-
Installation/Persistence
-
Opens the MountPointManager (often used to detect additional infection locations)
- details
- "wscript.exe" opened "\Device\MountPointManager"
- source
- API Call
- relevance
- 5/10
-
Touches files in the Windows directory
- details
-
"wscript.exe" touched file "%WINDIR%\System32\en-US\wscript.exe.mui"
"wscript.exe" touched file "%WINDIR%\System32\wscript.exe"
"wscript.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls"
"wscript.exe" touched file "%WINDIR%\System32\rsaenh.dll"
"wscript.exe" touched file "%WINDIR%\System32\en-US\jscript.dll.mui"
"wscript.exe" touched file "%WINDIR%\Fonts\StaticCache.dat"
"wscript.exe" touched file "%WINDIR%\System32\en-US\msctf.dll.mui" - source
- API Call
- relevance
- 7/10
-
Opens the MountPointManager (often used to detect additional infection locations)
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "https://www.nsaneforums.com/topic/316668-microsoft-activation-scripts/"
Pattern match: "https://www.nsaneforums.com/topic/316668--/?do=findComment&comment=1497887"
Pattern match: "https://forums.mydigitallife.net/posts/838808"
Pattern match: "https://github.com/AveYo/Compressed2TXT"
Pattern match: "https://forums.mydigitallife.net/threads/.74332/"
Heuristic match: "v.
goto MASend
:_Passed
::========================================================================================================================================
setlocal EnableDelayedExpansion
:MainMenu
cls
title Microsoft Activation Sc"
Pattern match: "https://pastebin.com/raw/jduBSazJ"
Pattern match: "https://pastebin.com/raw/7Xyaf1"
Pattern match: "https://textuploader.com/1dg8d/raw"
Pattern match: "https://github.com/vyvojar/slshim"
Pattern match: "https://support.microsoft.com/en-us/help/2736303"
Pattern match: "https://pastebin.com/raw/7Xyaf15Z"
Pattern match: "https://gitlab.com/massgrave/massgrave"
Pattern match: "https://s.put.re/WFuXpyWA.zip"
Heuristic match: "server address, search set KMS_Server=
paste the server address after the = sign.
- To clear the KMS cache, search set Clear-KMS-Cache= and change the value from 0 to 1.
- Registered KMS server address (cache) enables the system to au"
Pattern match: "https://forums.mydigitallife.net/posts/1150042"
Pattern match: "https://forums.mydigitallife.net/posts/1466365/"
Pattern match: "pastebin.com/XTPt0JSC"
Pattern match: "https://gitlab.com/massgrave/microsoft-activation-scripts"
Pattern match: "https://forums.mydigitallife.net/threads/74197/"
Pattern match: "https://www.nsaneforums.com/topic/316668--/page/22/?tab=comments#comment-1438005"
Pattern match: "www.microsoft.com"
Pattern match: "https://github.com/vyvojar/slshim/releases"
Pattern match: "https://stackoverflow.com/a/13351373"
Pattern match: "https://forums.mydigitallife.net/posts/1511883"
Pattern match: "http://schemas.microsoft.com/windows/2004/02/mit/task"
Pattern match: "https://github.com/massgravel/Microsoft-Activation-Scripts"
Pattern match: "https://github.com/massgravel/MASSGRAVE"
Pattern match: "https://www.nsaneforums.com/topic/316668--/page/21/?tab=comments#comment-1431257"
Heuristic match: "kms.srv.crsoo.com"
Heuristic match: "kms8.MSGuides.com"
Heuristic match: "kms9.MSGuides.com"
Heuristic match: "kms.zhuxiaole.org"
Heuristic match: "kms.moeclub.org"
Pattern match: "http://forum.ru-board.com/topic.cgi?forum=2&topic=5734#1"
Pattern match: "https://forums.mydigitallife.net/threads/44717/"
Pattern match: "https://forums.mydigitallife.net/posts/838808/"
Pattern match: "https://tinyurl.com/yy8wfu5m"
Heuristic match: "::cXof.W.S4/B2K).HGs|~BIizQ/p]-mQ1HC_qI$B0eTV};cSXSXD?u)}A#H5u4+d.#z59pN&358XD5|Q5&I1bIqvd@luR!#X&P7P]-GY}Iv5~8RmbIoJf8,d7^B.CY"
Pattern match: "hf65g51m6.qh/4o"
Pattern match: "T.ArK/jvp4Ydt/dsL{D=V9aTAnER" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
Unusual Characteristics
-
Found reference to Diagnosis CAB file
- details
-
"Total = 1/66
Virus Total Report Date: 12-11-2019
These files are official Microsoft files and in this script, these are used in
cleaning office license in C2R Retail office to VL conversion process.
The source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab
You can get the original file here https://s.put.re/WFuXpyWA.zip
====================================================================================================
How does it work?
Is it safe?
https://pastebin.com/raw/7Xyaf15Z
Mirror:
https://textuploader.com/1dg8d/raw
====================================================================================================
Products Compatibility:
====================================================================================================
Supported Products: [Only Volume-capable]
Windows 8 / 8.1 / 10 (all official editions, except Windows 10 S)
Windows 7 (Enterprise /N/E, Professional /N/E" (Indicator: ".diagcab")
"25372731c770e2 *cleanosppx64.exe Virus Total = 0/66
39ed8659e7ca16aaccb86def94ce6cec4c847dd6 *cleanosppx86.exe Virus Total = 1/66
Virus Total Report Date: 12-11-2019
These files are official Microsoft files and in this script, these are used in
cleaning office license in C2R Retail office to VL conversion process.
The source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab
You can get the original file here https://s.put.re/WFuXpyWA.zip
----------------------------------------------------------
IMPORTANT NOTE - Some sensitive AV's may flag the Automatic Renewal via the Task, and not
because of KMS, because for them it's suspicious to run long scripts in the background as Tasks.
It's recommended to set exclusions in Antivirus for
%ALLUSERSPROFILE%\Online_KMS_Activation\Activate.cmd
----------------------------------------------------------
- When using Online KMS plus HWID" (Indicator: ".diagcab")
"source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab
You can get the original file here https://s.put.re/WFuXpyWA.zip
====================================================================================================
:7:
:+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
:$OEM$Related
cls
set "CheckExit=if defined $OEM$Exist Goto Extract$OEM$"
for /f "delims=" %%a in ('%_psc% "& {write-host $([Environment]::GetFolderPath('Desktop'))}"') do Set "desktop=%%a"
cd /d "%desktop%"
set "Dir=%desktop%\$OEM$\$$\Setup\Scripts"
if exist $OEM$ goto Exist
if not exist $OEM$ goto NotExist
:Exist
echo _____________________________________________________
%ErrLine%
echo $OEM$" (Indicator: ".diagcab")
"text contains these 3 files:
::
:: d30a0e4e5911d3ca705617d17225372731c770e2 *cleanosppx64.exe Virus Total = 0/66
:: 39ed8659e7ca16aaccb86def94ce6cec4c847dd6 *cleanosppx86.exe Virus Total = 1/66
:: 9d5b4b3e761cca9531d64200dfbbfa0dec94f5b0 *_Info.txt Virus Total = 0/59
::
:: Virus Total Report Date: 12-11-2019
::
:: These files are official Microsoft files and in this script, these are used in
:: cleaning office license in C2R Retail office to VL conversion process.
::
:: The source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab
:: You can get the original file here https://s.put.re/WFuXpyWA.zip
:::========================================================================================================================================
:cleanospp: Compressed2TXT v5.3
Add-Type -Language CSharp -TypeDefinition @"
using System.IO; public class BAT85{ public static void Decode(string tmp, string s" (Indicator: ".diagcab")
"ese files are official Microsoft files and in this script, these are used in
cleaning office license in C2R Retail office to VL conversion process.
The source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab
You can get the original file here https://s.put.re/WFuXpyWA.zip
====================================================================================================
Online KMS Activation script is just a fork of @abbodi1406's KMS_VL_ALL Project.
KMS_VL_ALL homepage: https://forums.mydigitallife.net/posts/838808
This fork was made to avoid having any KMS binary files and system can be activated using
some manual commands or transparent batch script files.
Online KMS Activation script is a part of 'Microsoft Activation Scripts'
Maintained by @WindowsAddict
Homepages-
NsaneForums: (Login Required) https://www.nsaneforums.com/topic/316668-microsoft-activation-scripts/
GitHub: https://github.com/massgravel/Microsoft-Ac" (Indicator: ".diagcab")
"The source of these files is the 'old' version of Microsoft Tool O15CTRRemove.diagcab" (Indicator: ".diagcab") - source
- File/Memory
- relevance
- 7/10
-
Installs hooks/patches the running process
- details
- "wscript.exe" wrote bytes "c04e077720540877e0650877b53809770000000000d0a37500000000c5eaa3750000000088eaa37500000000e968097582280977ee29097700000000d2690975000000007dbba3750000000009be097500000000ba18a37500000000" to virtual address "0x771D1000" (part of module "NSI.DLL")
- source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Reads information about supported languages
- details
-
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\EXTENDEDLOCALE"; Key: "EN-US")
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\CUSTOMLOCALE"; Key: "EN-US")
"wscript.exe" (Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\NLS\LOCALE"; Key: "00000409") - source
- Registry Access
- relevance
- 3/10
- ATT&CK ID
- T1012 (Show technique in the MITRE ATT&CK™ matrix)
-
Found reference to Diagnosis CAB file
File Details
MAS_1.4_AIO-ZH_TW.cmd
- Filename
- MAS_1.4_AIO-ZH_TW.cmd
- Size
- 2.3MiB (2363497 bytes)
- Type
- script javascript
- Description
- ISO-8859 text, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 6c98eeff169a7c30d279f9fb2c02db9c7d174d63922c74e27025a54db9d99c7c
- MD5
- 00b8634b40694f94c5b03914c37a18cf
- SHA1
- ccd0ddb9703d8b0ad4df2fdea5dc60eca119485a
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 1 process in total.
- wscript.exe "C:\MAS_1.4_AIO-ZH_TW.cmd.js" (PID: 2988)
Network Analysis
DNS Requests
No relevant DNS requests were made.
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
No significant files were extracted.
Notifications
-
Runtime
- Network whitenoise filtering was applied
- No static analysis parsing on sample was performed
- Not all Falcon MalQuery lookups completed in time
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "string-43" are available in the report
- Not all sources for indicator ID "string-63" are available in the report