SHA-256:
59cbfe5c50516d9c4c4ebca140b239f7ae9088fd9a859d526ed67a46218ff790Build / RE
JScript for Windows Script Host. Plain-text file; CAPE declined because it is not a PE. ^[file.txt]
Obfuscation is manual and heavy:
- ~4.7 MB of string fragments concatenated into
this.EFNVXJYPEVUVOALXvia 1,100++=statements; each fragment interleaved with Unicode CJK and emoji noise strings. ^[strings.txt:1] - String resolution through a runtime array:
_0xd0976c(...),_0x7b0387(...), andEFNVXJYPEVUVOALXI(...)map hex-arithmetic expressions to payload strings. ^[stub] - Anti-debug dead function containing
new RegExp('(((.+)+)+)+$'), a catastrophic-backtracking trap for naive debuggers. ^[stub] - No commercial packer or compiler signature.
Notable functions:
EFNVXJYPEVUVOALXI— string-array resolver, invoked with hex literals throughout.- Dead functions
_0x2d9cand_0x177b19— recursion traps that branch on runtime state.
Deploy / ATT&CK
Static-only; CAPE skipped (Unicode text, not a supported binary class). ^[dynamic-analysis.md]
| Tactic | Technique | Evidence |
|---|---|---|
| Execution | T1059.005 | JScript WScript host. ^[file.txt] |
| Execution | T1059.001 | WScript.Shell.Run() invocation. ^[stub] |
| Defense Evasion | T1027.002 | Hex-arithmetic call-site obfuscation, 1,100+ string fragments. ^[strings.txt] |
| Defense Evasion | T1497.001 | Catastrophic-backtracking regex trap ((((.+)+)+)+$). ^[stub] |
Attribution
Sibling of the unclassified-js-dropper cluster (sample 0e4141aa). Identical obfuscation engine: same EFNVXJYPEVUVOALX string-array name, same _0x<hex> resolver convention, same hex-arithmetic call-site obfuscation, same ActiveXObject + WScript.Shell execution chain. ^[entities/unclassified-js-dropper.md]
Confidence: medium (high-confidence engine match, low-confidence campaign linkage).
Siblings
0e4141aa— same obfuscation engine, debugger/sandbox gate, HostGator C2, reflectively-loaded .NET assembly.