JSDropperLoader

JavaScript malware dropper with 3-layer encryption: XOR(20/142) outer, custom AES-256 with modified S-BOX/RCON, then embedded PowerShell loader. Targets MSBuild.exe via process hollowing. Uses OmniCascade assembly namespace (QuartzMediator, PhantomLinker). ConvertFrom-Base28 custom encoding for embedded blobs. Execution via WScript.Shell.Run() and ADODB.Stream. Consistent with XLoader/ModiLoader/IDAT-style loaders.

Tehdit Profili
Tür Loader
Yazılım DiliJavaScript/PowerShell
C2 ProtokolüHTTP/custom
İlk Görülme2024
Hedef Kitle Kuresel
Amaç / Yetenekler
  • Loader/Dropper/Process Hollow
Bu aile için henüz C2 sunucusu tespit edilmemiştir.

Araştırma Raporları (1)

Kritik

JSDropper 06cd8dcf -- XOR Custom AES-256 Modified SBOX PowerShell MSBuild Hollow OmniCascade QuartzMediator WScript ADODB ConvertFrom-Base28 XLoader ModiLoader | Kritik

JSDropper 06cd8dcf JS 804KB. 3 katman: XOR + Ozel AES-256 (degis SBOX) + PSLoader. MSBuild.exe hollow. OmniCascade assembly. WScript.Shell.Run ADODB.Stream.

Raporu Oku →