Analysis of a JSE File (Kimsuky APT)
Contents
Summary
The JavaScript file is heavily obfuscated and encoded with base64 commands
It leads to Kimsuky APT malware family
The file performs a lot of different evasion techniques
It also downloads an executable which is the dropper file the main payload
The file also performs deletion activities
Analysis of the file
What the script actually does (decoded)
Embedded payload
The variable you saw ("VFZxUUFBTUFB...") is Base64 data
It is Base64-decoded twice
After the second decode, the result starts with:
4D 5A 90 00 03 00 ...
MZ....
That is a Windows PE executable (EXE)
So this is not just JavaScript — it’s a binary dropper.
Execution flow (simplified)
The original .jse script does roughly this at runtime:
try {
// 1. Huge Base64 string embedded in the script
var payload = "VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdB...";
// 2. Decode twice
var stage1 = Base64Decode(payload);
var exeBytes = Base64Decode(stage1);
// 3. Write EXE to disk (usually %TEMP%)
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tempPath = fso.GetSpecialFolder(2) + "\\<random>.exe";
WriteBinaryFile(tempPath, exeBytes);
// 4. Execute …
The JavaScript file is heavily obfuscated and encoded with base64 commands
It leads to Kimsuky APT malware family
The file performs a lot of different evasion techniques
It also downloads an executable which is the dropper file the main payload
The file also performs deletion activities
Analysis of the file
What the script actually does (decoded)
Embedded payload
The variable you saw ("VFZxUUFBTUFB...") is Base64 data
It is Base64-decoded twice
After the second decode, the result starts with:
4D 5A 90 00 03 00 ...
MZ....
That is a Windows PE executable (EXE)
So this is not just JavaScript — it’s a binary dropper.
Execution flow (simplified)
The original .jse script does roughly this at runtime:
try {
// 1. Huge Base64 string embedded in the script
var payload = "VFZxUUFBTUFBQUFFQUFBQS8vOEFBTGdB...";
// 2. Decode twice
var stage1 = Base64Decode(payload);
var exeBytes = Base64Decode(stage1);
// 3. Write EXE to disk (usually %TEMP%)
var fso = new ActiveXObject("Scripting.FileSystemObject");
var tempPath = fso.GetSpecialFolder(2) + "\\<random>.exe";
WriteBinaryFile(tempPath, exeBytes);
// 4. Execute …