spamita: 129ef925 — Italian-themed JS dropper, three-stage obfuscation (JS→PS→XOR→.NET in-memory)

Executive Summary

A 3.1 MB heavily obfuscated JavaScript dropper (Invio proforma.js) targeting Italian-speaking users via invoice-themed spam. It embeds a base64-encoded PowerShell payload that decrypts itself via RC4, then XOR-decrypts a .NET assembly (key: SKIDO56@@fhsdgh) and loads it reflectively with System.Reflection.Assembly::Load. Anti-analysis includes a process-name check for aspnet_compiler before payload execution.

What It Is

How It Works

1. Delivery context — The file name and spam-ita label indicate Italian-language spam lures, likely delivered as an email attachment masquerading as a business document. ^[triage.json]

2. Stage 1: JavaScript obfuscation — The script is obfuscated with a commercial-grade JavaScript obfuscator (string-array lookup table, dead-code injection, control-flow flattening via IIFE wrappers, and hex-offset string references like hq(0x2b,'MG9x')). ^[strings.txt]

3. Stage 2: PowerShell bootstrap — The JS defines PayloadProcessor.baseString, a ~3.06 MB base64 block. When decoded, it yields a PowerShell script titled "RC4 Decryption Utility (HEX Version)" that contains:

   • $cipherData — a large hex-encoded ciphertext block (~1.1 MB when decoded)
   • $rc4Key — a 32-byte RC4 key (83d8989003cc67653c2dbcf98c0d9cbdaeeb5664dc6c32dbbcba435880e703c4)
   • RC4 KSA+PRGA routine → decrypts to another PowerShell payload

4. Stage 3: XOR-decrypt + in-memory assembly — The decrypted PowerShell payload contains:

   • XOR decryption function Decrypt-XORContent using key SKIDO56@@fhsdgh
   • Invoke-InMemoryAssembly — reflectively loads a .NET assembly from a byte array via [System.Reflection.Assembly]::Load($AssemblyData), then invokes a static method by name ^[decrypted payload analysis]
   • Confirm-ProcessMissing / Start-ContinuousMonitoring — watches for process aspnet_compiler; if the process is absent, it proceeds to decrypt and execute the embedded payload

5. Anti-analysis / sandbox evasion — The aspnet_compiler check is a behavioural gate: many sandboxes do not spawn this process, so the malware waits or aborts in automated environments. ^[decrypted payload analysis]

C2 Infrastructure

No network IOCs were recovered from static analysis. The payload is runtime-decrypted and loaded in-memory; C2 configuration likely lives inside the final .NET assembly, which was not available for extraction statically. Marked as C2 runtime-resolved / payload-embedded.

Interesting Tidbits

• Triple-layer encryption: JS obfuscation → RC4-encrypted PowerShell → XOR-encrypted .NET assembly. Each layer uses a different key/algorithm, suggesting deliberate effort to defeat automated string extraction and sandbox detonation. ^[decrypted payload analysis]
• Italian targeting: The file name Invio proforma.js and spam-ita OpenCTI label point to Italian-language spam campaigns. "Proforma" is a common business term in Italian commerce, making the lure credible. ^[triage.json]
• ASP.NET process masquerade: Checking for aspnet_compiler (a legitimate .NET build tool) gives the malware a process-list signal; absence suggests non-production / sandbox environment. ^[decrypted payload analysis]
• Obfuscator fingerprint: The JS uses a string-array (y()) with base64-like strings (e.g. WRr5W5BdQCk4W4e) and a dispatcher function j(d,N) with charCodeAt/fromCharCode and a custom base64 decoder. Pattern matches javascript-obfuscator (npm) default output. ^[strings.txt]
• PowerShell opsec: The PS payload includes NoProfile and ExecutionPolicy bypass strings mixed into the obfuscated JS string table, though the final execution appears to happen via WScript.Shell, not direct powershell.exe invocation — a subtle redirection. ^[decrypted payload analysis]

How To Mess With It (Homelab Replication)

1. Reproduce the JS obfuscation: Take a benign PowerShell script, base64-encode it, feed it to javascript-obfuscator (npm) with stringArray: true, controlFlowFlattening: true, deadCodeInjection: true. Embed the output as baseString inside a JS wrapper that calls WScript.Shell.
2. Reproduce the RC4 layer: Use the KSA+PRGA routine from the sample (standard RC4) with a 32-byte key to wrap the second PowerShell stage.
3. Reproduce the XOR + in-memory load: XOR a compiled C# assembly with key SKIDO56@@fhsdgh, base64-encode it, and have PowerShell decrypt + [System.Reflection.Assembly]::Load() + GetType("Namespace.Class").GetMethod("Run").Invoke(null, $args).
4. Verification: Running the reproducer should produce a WScript process that spawns a child PowerShell process (or loads inline) and the assembly executes without touching disk.

Deployable Signatures

YARA Rule

rule spamita_js_stage_2026 {
    meta:
        description = "Spamita JS dropper with embedded RC4 PowerShell payload"
        author = "PacketPursuit"
        date = "2026-05-30"
        sha256 = "129ef9250b91767463dc5d219be2db7f389a5bb7e72dc2d41cbd9fdbeca20941"
    strings:
        $a1 = "PayloadProcessor" ascii wide
        $a2 = "baseString" ascii wide
        $a3 = "WScript.Shell" ascii wide nocase
        $a4 = "ActiveXObject" ascii wide nocase
        $a5 = /function\s+\w+\s*\(\s*\w+\s*,\s*\w+\s*\)\s*\{\s*var\s+\w+\s*=\s*\w+\(\)\s*;\s*var\s+\w+\s*=\s*\w+\[\w+\]/
        $a6 = "charCodeAt" ascii wide
        $a7 = "fromCharCode" ascii wide
        $b1 = "RC4 Decryption Utility" ascii wide
        $b2 = "$cipherData" ascii wide
        $b3 = "$rc4Key" ascii wide
        $b4 = "Decrypt-XORContent" ascii wide
        $b5 = "Invoke-InMemoryAssembly" ascii wide
        $b6 = "SKIDO56@@fhsdgh" ascii wide
        $b7 = "aspnet_compiler" ascii wide
        $b8 = "System.Reflection.Assembly" ascii wide
    condition:
        filesize > 1MB and filesize < 5MB and
        (3 of ($a*) or 2 of ($b*)) and
        any of ($b*)
}

Sigma Rule

title: Spamita JS Dropper Execution Chain
status: experimental
description: Detects the Spamita multi-stage loader chain from JS to PowerShell to in-memory .NET assembly.
logsource:
    product: windows
    category: process_creation
detection:
    selection_js:
        CommandLine|contains:
            - "Invio proforma"
            - "Base64Decode"
            - "WScript.Shell"
    selection_ps:
        CommandLine|contains|all:
            - "Decrypt-XORContent"
            - "Invoke-InMemoryAssembly"
            - "SKIDO56"
    selection_refl:
        CommandLine|contains:
            - "[System.Reflection.Assembly]::Load"
            - "GetType("
            - "Invoke"
    filter_legit:
        Image|endswith:
            - "\\powershell_ise.exe"
            - "\\powershell.exe"
    condition: selection_js or selection_ps or (selection_refl and not filter_legit)
falsepositives:
    - Penetration testing or red-team tools using similar reflective loading techniques
level: high

IOC List

Behavioral Fingerprint Statement

This threat begins as a heavily obfuscated JavaScript file (often Invio proforma.js) that, when executed by WScript, decodes an embedded base64 PowerShell payload. The PowerShell script decrypts a second stage via RC4, then XOR-decrypts a .NET assembly with the hardcoded key SKIDO56@@fhsdgh. Before execution, it checks the process list for aspnet_compiler; if absent, it proceeds to load the assembly reflectively via System.Reflection.Assembly::Load and invoke an entry-point static method. No files are written to disk after the initial JS execution.

References

• Artifact ID: 5433cbc2-a076-435d-bfa2-6c636e4db843 ^[triage.json]
• OpenCTI labels: js, malware-bazaar, spam-ita ^[triage.json]
• Wiki: spamita, javascript-obfuscator, rc4-encrypted-powershell, xored-dotnet-in-memory-assembly, aspnet-compiler-sandbox-evasion

Provenance

• Static analysis performed on 2026-05-30 using the built-in triage artifacts (file.txt, strings.txt, triage.json) and manual decryption of the embedded RC4→XOR payload chain. CAPE detonation was skipped because the sample is a JS source file, not a Windows PE. All dynamic behaviour claims are inferred from decrypted content and marked accordingly.