F-Secure DeepGuard alarm and wscript.exe

OGrelckOGrelck Posts: 4 New Member

Greetings,

we got a F-Secure DeepGuard alarm today.

The User told me he download a zip file with Google Chrome,

in which should be a word document.

He said he deleted the zip file an did not open

it. Attached some screenshots from F-Secure.

  



The question is, is it true that he did not open it?

Can F-Secure detect it without running something

or did the user run the file inside the zip? Was

the wscript.exe called by this or did F-Secure only

detect, that inside the zip there is something which wants

to call wscript.exe?


Is it possible that Chrome can run wscript.exe or a JavaScript JS file

that is calling wscript?


Best Regards 

Ole

Answers

  • jameschjamesch Posts: 216 Moderator

    Hi Ole

    Regarding this case, I suggest to submit a case and sample to our detection team

    https://www.f-secure.com/en/business/support-and-downloads/submit-a-sample

  • OGrelckOGrelck Posts: 4 New Member

    Hi Jamesch,

    we don't have a sample, the download is already deleted

    Is it possible to get informations from log files,

    which file called wscript or wasn't it called only

    a file was detected which.

    Ole

  • OGrelckOGrelck Posts: 4 New Member

    Hi,

    i could reconstruct the problem.

    I used the Chrome DownloadMetadate file to find the downloaded zip.

    I downloaded the file in a safe environement and decompressed it.

    Inside there was a obfusicated js file, which calls wscript to load

    a file from the internet and runs it.


    The user has open the zip and clicked the js :-(


    Ole

  • jameschjamesch Posts: 216 Moderator

    Hi Ole

    Just to confirm - this is not a product nor detection issue, correct ?

Sign In or Register to comment.