Derin Analiz - JS Dropper / MSBuild Hollow | Tehdit: KRITIK

Dosya Kimligi

SHA25606cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d
Boyut824,918 byte (804 KB) -- tek satir, terminatorsiz
TurJavaScript Malware (WScript ile calistirilir)

3 Katmanli Sifreli Obfusikasyon

KRITIK: Uc katmanli sifreleme: XOR + ozel AES-256 + PowerShell Loader
Katman 1 -- XOR Obfuske (anahtarlar: 20 / 142)\n  5952 elemanlik byte dizisi, tek/cift konumlarda alternatif XOR\n  Cikti: Ozel JS AES uygulamasi (Stage-2 engine)\n\nKatman 2 -- Ozel AES-256 (Degistirilmis S-BOX)\n  SBOX[0]=0xC6 (standart: 0x63) -- standart disi S-kutusu\n  RCON: [0xC3,0xC0,0xC6,0xCA,...] (standart: [0x01,0x02,0x04,0x08,...])\n  AES Anahtari: e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106\n\nKatman 3 -- 224,672 byte sifresiz gizli PowerShell Loader\n  WScript.Shell.Run() + ADODB.Stream ile %TEMP%`a yazilir

PowerShell MSBuild Hollow Loader

Hedef Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe\n\nAssembly Namespace: OmniCascade\n  QuartzMediator.InvokeParallelDispatch() -> hFiber, hPipeline\n  PhantomLinker.ResumeThread(hFiber) + CloseHandle(hPipeline)\n\nConvertFrom-Base28 -- Ozel kodlama: ABCDEFGHIJKLMNOPQRSTUVWXYZ ab alfabesi\n  Blob0 (162,160 char): Sifresiz DLL (AES-CBC-PKCS7)\n  Blob1 (54,640 char): Sifresiz payload (AES-CBC)\n\nPS Flags: -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass\nYurütme: AppDomain.Load([byte[]]) reflective DLL yukleme

IOC

SHA25606cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d
AES Key (outer)e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106
AES Key2 (inner)a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c
HedefMSBuild.exe process hollowing
AssemblyOmniCascade.QuartzMediator / PhantomLinker

JSDropperLoader — Malware Profile

JavaScript malware dropper with 3-layer encryption: XOR(20/142) outer, custom AES-256 with modified S-BOX/RCON, then embedded PowerShell loader. Targets MSBuild.exe via process hollowing. Uses OmniCascade assembly namespace (QuartzMediator, PhantomLinker). ConvertFrom-Base28 custom encoding for embedded blobs. Execution via WScript.Shell.Run() and ADODB.Stream. Consistent with XLoader/ModiLoader/IDAT-style loaders.

Malware Type
Loader
Programming Language
JavaScript/PowerShell
C2 Protocol
HTTP/custom
Target Systems
Kuresel

Capabilities & Behavior

Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı

IOC List (3 indicators)

IOC — JSDropperLoader
# e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106 # a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c # SHA256 06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d
TypeValueNote
e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106
a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c
sha256 06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d
Tags
javascript-dropper-malwarexor-obfuscation-key-20-142custom-aes256-nonstandard-sbox-rconmsbuild-exe-process-hollowingomnicascade-quarzmediator-phantomlinker-assemblyconvertfrom-base28-custom-encodingwscript-shell-run-adodb-streamreflective-dll-loading-appdomainaes-cbc-pkcs7-double-encrypted-payloadxloader-modiloader-idat-style-loader