Statik Analiz — SWIFTJSDropper | Tehdit: ORTA

Dosya Kimligi

SHA256af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471
Boyut354,411 byte (ASCII JavaScript)
IsimSWIFT_Payment_Receipt_300 (finansal lur)

Danca Obfuske Yorumlar: Gootloader Benzeri Teknik

GOOTLOADER PATTERN: Danca dil ile obfuske edilmis JavaScript dropper!
var landsretssagfrerne = ["Startingly","Uforstaaelighedernes","Arrestment"];\nvar calefactories = [];\nvar Marve = [132,126,104,81];\n//Nonconstrictive11, lifer blokkommandoerne...\n//Laboursome105 tandbrstnings\n//Stabilities236. universalistic\n//Reflipperne92! subfile? birdlimed.\n\n-- "landsretssagfrerne" = Danca: "yuksek mahkeme avukatlari" (sosyal muhendislik terimi)\n-- "Uforstaaelighedernes" = Danca: "anlasmazliklarin"\n-- Cok sayida Danca yorum satirlari: kodun analizini zorlastirir\n-- Gootloader teknik ozellikleri:\n  1. Meşru site hack + Google SEO zehirlenmesi\n  2. JS dosyasi indirme luru ("SWIFT makbuzu", "sozlesme")\n  3. Çift katmanli obfuske\n  4. WScript.Shell ile PowerShell/cmd calistirma

Marve = [132,126,104,81]: Kodlu Payload

var Marve = [132,126,104,81];\n\n-- [132, 126, 104, 81] = 4 deger:\n  ASCII degerlerine yakin ama standart degil\n  Muhtemelen XOR anahtari veya payload decode parametresi\n  Veya base char offset: 132-97=35, 126-97=29...\n-- "calefactories = []" bos dizi: runtime payload yuklemesi\n-- Calefactories + Marve = XOR veya RC4 decrypt rutini

SWIFT Payment Receipt Luru

"SWIFT_Payment_Receipt_300"\n\n-- SWIFT = Society for Worldwide Interbank Financial Telecommunication\n-- Kurumsal banka transferi belgesi gibi gosteriliyor\n-- Hedef: muhasebe, finans, CFO personeli\n-- "300" muhtemelen referans numarasi (FI referansi)\n-- Danca dil: Kuzey Avrupa finansal kurumlarini hedef aliyor\n-- Genellikle e-posta eki veya SEO zehirlenme linki

IOC

SHA256af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471
LurSWIFT_Payment_Receipt_300
TeknikDanca obfuske, Gootloader benzeri JS

SWIFTJSDropper — Malware Profile

Danish-language obfuscated JavaScript dropper. SWIFT Payment Receipt financial lure. Gootloader-like technique. Marve=[132,126,104,81] encoded payload. landsretssagfrerne, Uforstaaelighedernes Danish deception strings. WScript.Shell delivery.

Malware Type
Other
Programming Language
JavaScript
C2 Protocol
HTTP/WScript
Target Systems
Kuzey Avrupa/Küresel

Capabilities & Behavior

Zararlı Yazılım Aktivitesi
Kalıcılık Mekanizması
C2 İletişimi
Anti-Analiz

IOC List (1 indicators)

IOC — SWIFTJSDropper
# SHA256 af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471
TypeValueNote
sha256 af743f03eb5ff44c37af97c4da33f88046831800adc390e461e15e904c23a471
Tags
swiftjsdropperswift-js-dropperswift-payment-receipt-financial-lure-300danish-obfuscated-comments-gootloader-patternmarve-array-132-126-104-81-encoded-payloadlandsretssagfrerne-uforstaaelighedernes-danish-deception-stringsjavascript-dropper-ascii-textheavily-obfuscated-wscript-jscript-payload