0bc60a0e11587e0a20fbd34f0fab12cc989abb6355bce40f5682608b5f5b60e70bc60a0e11587e0a20fbd34f0fab12cc989abb6355bce40f5682608b5f5b60e7
Build / RE
Language / format: JavaScript for Windows Script Host. Single-line, 73 KB ASCII text. ^[file.txt] ^[exiftool.json]
Obfuscator: javascript-obfuscator npm package (or a derivative). Observable fingerprints:
- String-array function
B()holding ~1019 base64-like elements. ^[strings.txt:1] - Custom
v(g,e)decoder combining base64 decode (charCodeAt/fromCharCode) with an RC4-like XOR loop keyed by a salt string passed as the second argument. ^[strings.txt:1] - Control-flow flattening via pipe-delimited dispatch constants (e.g.
'4|3|1|2|0'and'7|4|2|0|5|3|1|6') fed intoswitch/while(!![])loops. ^[strings.txt:1] - Dead-code injection: every meaningful call is wrapped in a redundant local function alias (
e3,e4,e5,e6,e7,e8,e9,eg) with randomised variable names. ^[strings.txt:1]
Anti-analysis: Self-defending anti-debug trap embedded inside v(g,e) — a prototype-polluter constructor j checks whether this['DuDuId'].toString() matches a hardcoded regex (\x5cw+\x20*\x5c(\x5c)\x20*{\x5cw+\x20* + [\x27|\x22].+[\x27|\x22];?\x20*}); on mismatch it decrements a counter and recurses. This is the stock javascript-obfuscator self-defend / anti-tamper option. ^[strings.txt:1, offset 71500–73839]
Code quality: Low once de-obfuscated. The ~2250 unique plain string literals are mostly noise; actual payload logic reduces to a download cradle, a .lnk drop, and a powershell.exe invocation.
Signing / embedded resources: None. Script is pure text; payload is fetched remotely.
Deploy / ATT&CK
| Tactic | Technique | Evidence |
|---|---|---|
| Initial Access | T1204.002 (Malicious File) | Invoice-themed filename Order-June-ref225265496pdf.js ^[triage.json] |
| Execution | T1059.005 (Visual Basic / JScript) | WScript / CScript .js dropper. ^[file.txt] |
| Execution | T1059.001 (PowerShell) | Command literal: powershell.exe -nop -ep bypass -file "%TEMP%\update.ps1" ^[strings.txt:1] |
| Persistence | T1547.009 (Shortcut Modification) | References .lnk, CreateShortcut, TargetPath, and Hidden — indicates an LNK written to a SpecialFolder (likely Startup) pointing at the staged payload. ^[strings.txt:1] |
| Defense Evasion | T1027 (Obfuscated Files or Information) | Heavy javascript-obfuscator control-flow flattening + RC4 string-array encryption. ^[strings.txt:1] |
| Command & Control | T1071.001 (Web Protocols) | HTTPS fetch to https://itegroup.sbs/account/sat/update.ps1. ^[strings.txt:1] |
C2 / Infrastructure: itegroup.sbs — single observed URL, no backup IPs or DGA hints recovered statically.
Attribution: None. Linguistic clues are absent; content is limited to English obfuscator noise. The .sbs TLD is cheap/generic. No code-family overlap with the corpus:
[spamita](/intel/families/spamita.html)uses a three-stage JS→RC4-PS→XOR→.NET chain with anaspnet_compilersandbox gate.[unclassified-js-dropper](/intel/families/unclassified-js-dropper.html)is a Portuguese-language WScript→PowerShell→.NET cluster that beacons to HostGator reseller subdomains.
This sample is a simpler two-stage JS→PowerShell chain with no .NET stage and no sandbox gate.
Confidence
Family: itegroup-sbs-dropper (medium confidence) — observable build pattern (javascript-obfuscator) and unique C2 domain separate it from other JS dropper clusters in the corpus.