Security Magic

Quick post, ran across a JS/BONDAT Worm variant and thought I would highlight some analysis and detection opportunities. The file I came across can be found here:  https://app.any.run/tasks/b3654b29-8858-4769-90ae-4f45a5f27c5d/ First Detection Opportunity This is a JavaScript file being executed via wscript, while this does not always mean "malicious", I find that detecting on Wscript.exe with a command line of .js does catch a fair number of malware families.  Of course, you may need to negate some false positives as you run across them, but this is a good start. Second Detection Opportunity From the above image, you can see Wscript.exe writing a .JS file. This may be a good item to key in on as well. Again, some minot false positive may exist, but those should be easy to negate. Understanding the Javascript The first thing to day with the JS is to beautify it... We can go from This: To This: right away we can see that some data about the victim is being coll...