# generated using capa explorer for IDA Pro
rule:
meta:
name: execute VBScript Javascript or JScript in memory
namespace: load-code
authors:
- blas.kojusner@mandiant.com
description: the sample may execute 32-bit VBScript, JavaScript, or JScript (32-bit)
scopes:
static: function
dynamic: unsupported # requires operand[0].number, bytes, operand[1].offset features
references:
- https://gist.github.com/odzhan/d18145b9538a3653be2f9a580b53b063
examples:
- 65B1EA6E5254D458C602504CEEDA5E05:0x401160
features:
- and:
- api: CoCreateInstance
- bytes: E1 2A 1A BB F9 A4 CF 11 8F 20 00 80 5F 2C D0 64 = IID_IActiveScript
- bytes: E2 2A 1A BB F9 A4 CF 11 8F 20 00 80 5F 2C D0 64 = IID_IActiveScriptParse32
- operand[0].number: 0x2 = SCRIPTSTATE_CONNECTED
- operand[1].offset: 0x14 = ParseScriptText
last edited: 2023-11-24 10:34:28