Statik Analiz — SWIFTJSDropper | Tehdit: ORTA
Dosya Kimligi
| SHA256 | af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471 |
|---|---|
| Boyut | 354,411 byte (ASCII JavaScript) |
| Isim | SWIFT_Payment_Receipt_300 (finansal lur) |
Danca Obfuske Yorumlar: Gootloader Benzeri Teknik
GOOTLOADER PATTERN: Danca dil ile obfuske edilmis JavaScript dropper!
var landsretssagfrerne = ["Startingly","Uforstaaelighedernes","Arrestment"];\nvar calefactories = [];\nvar Marve = [132,126,104,81];\n//Nonconstrictive11, lifer blokkommandoerne...\n//Laboursome105 tandbrstnings\n//Stabilities236. universalistic\n//Reflipperne92! subfile? birdlimed.\n\n-- "landsretssagfrerne" = Danca: "yuksek mahkeme avukatlari" (sosyal muhendislik terimi)\n-- "Uforstaaelighedernes" = Danca: "anlasmazliklarin"\n-- Cok sayida Danca yorum satirlari: kodun analizini zorlastirir\n-- Gootloader teknik ozellikleri:\n 1. Meşru site hack + Google SEO zehirlenmesi\n 2. JS dosyasi indirme luru ("SWIFT makbuzu", "sozlesme")\n 3. Çift katmanli obfuske\n 4. WScript.Shell ile PowerShell/cmd calistirmaMarve = [132,126,104,81]: Kodlu Payload
var Marve = [132,126,104,81];\n\n-- [132, 126, 104, 81] = 4 deger:\n ASCII degerlerine yakin ama standart degil\n Muhtemelen XOR anahtari veya payload decode parametresi\n Veya base char offset: 132-97=35, 126-97=29...\n-- "calefactories = []" bos dizi: runtime payload yuklemesi\n-- Calefactories + Marve = XOR veya RC4 decrypt rutini
SWIFT Payment Receipt Luru
"SWIFT_Payment_Receipt_300"\n\n-- SWIFT = Society for Worldwide Interbank Financial Telecommunication\n-- Kurumsal banka transferi belgesi gibi gosteriliyor\n-- Hedef: muhasebe, finans, CFO personeli\n-- "300" muhtemelen referans numarasi (FI referansi)\n-- Danca dil: Kuzey Avrupa finansal kurumlarini hedef aliyor\n-- Genellikle e-posta eki veya SEO zehirlenme linki
IOC
| SHA256 | af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471 |
|---|---|
| Lur | SWIFT_Payment_Receipt_300 |
| Teknik | Danca obfuske, Gootloader benzeri JS |
SWIFTJSDropper — Malware Profile
Danish-language obfuscated JavaScript dropper. SWIFT Payment Receipt financial lure. Gootloader-like technique. Marve=[132,126,104,81] encoded payload. landsretssagfrerne, Uforstaaelighedernes Danish deception strings. WScript.Shell delivery.
Malware Type
Other
Programming Language
JavaScript
C2 Protocol
HTTP/WScript
Target Systems
Kuzey Avrupa/Küresel
Capabilities & Behavior
Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz
IOC List (1 indicators)
IOC — SWIFTJSDropper
# SHA256
af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471
| Type | Value | Note |
|---|---|---|
| sha256 | af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471 |