Derin Analiz - JS Dropper / MSBuild Hollow | Tehdit: KRITIK
Dosya Kimligi
| SHA256 | 06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d |
|---|---|
| Boyut | 824,918 byte (804 KB) -- tek satir, terminatorsiz |
| Tur | JavaScript Malware (WScript ile calistirilir) |
3 Katmanli Sifreli Obfusikasyon
KRITIK: Uc katmanli sifreleme: XOR + ozel AES-256 + PowerShell Loader
Katman 1 -- XOR Obfuske (anahtarlar: 20 / 142)\n 5952 elemanlik byte dizisi, tek/cift konumlarda alternatif XOR\n Cikti: Ozel JS AES uygulamasi (Stage-2 engine)\n\nKatman 2 -- Ozel AES-256 (Degistirilmis S-BOX)\n SBOX[0]=0xC6 (standart: 0x63) -- standart disi S-kutusu\n RCON: [0xC3,0xC0,0xC6,0xCA,...] (standart: [0x01,0x02,0x04,0x08,...])\n AES Anahtari: e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106\n\nKatman 3 -- 224,672 byte sifresiz gizli PowerShell Loader\n WScript.Shell.Run() + ADODB.Stream ile %TEMP%`a yazilir
PowerShell MSBuild Hollow Loader
Hedef Process: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe\n\nAssembly Namespace: OmniCascade\n QuartzMediator.InvokeParallelDispatch() -> hFiber, hPipeline\n PhantomLinker.ResumeThread(hFiber) + CloseHandle(hPipeline)\n\nConvertFrom-Base28 -- Ozel kodlama: ABCDEFGHIJKLMNOPQRSTUVWXYZ ab alfabesi\n Blob0 (162,160 char): Sifresiz DLL (AES-CBC-PKCS7)\n Blob1 (54,640 char): Sifresiz payload (AES-CBC)\n\nPS Flags: -NoProfile -NonInteractive -WindowStyle Hidden -ExecutionPolicy Bypass\nYurütme: AppDomain.Load([byte[]]) reflective DLL yukleme
IOC
| SHA256 | 06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d |
|---|---|
| AES Key (outer) | e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106 |
| AES Key2 (inner) | a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c |
| Hedef | MSBuild.exe process hollowing |
| Assembly | OmniCascade.QuartzMediator / PhantomLinker |
JSDropperLoader — Malware Profile
JavaScript malware dropper with 3-layer encryption: XOR(20/142) outer, custom AES-256 with modified S-BOX/RCON, then embedded PowerShell loader. Targets MSBuild.exe via process hollowing. Uses OmniCascade assembly namespace (QuartzMediator, PhantomLinker). ConvertFrom-Base28 custom encoding for embedded blobs. Execution via WScript.Shell.Run() and ADODB.Stream. Consistent with XLoader/ModiLoader/IDAT-style loaders.
Malware Type
Loader
Programming Language
JavaScript/PowerShell
C2 Protocol
HTTP/custom
Target Systems
Kuresel
Capabilities & Behavior
Payload İndirme
Süreç Enjeksiyonu
Modüler Mimari
Kimlik Bilgisi Hırsızlığı
Yanal Hareket
Kalıcılık
Anti-VM/Sandbox
İkincil Payload Dağıtımı
IOC List (3 indicators)
IOC — JSDropperLoader
#
e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106
#
a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c
# SHA256
06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d
| Type | Value | Note |
|---|---|---|
| e9c4e4394cc714597d844e00d23ea94900c486da9480a33f324e7534ffe03106 | ||
| a863f34abe1165fc645917e31049b7b18ea06db6c032c19192b015eebaf6ce0c | ||
| sha256 | 06cd8dcf6dbe90f73024d3789e6d6e63c626614da31a5c8474acac5c5a55ba5d |