Malware Analysis of Kimsuky's Attacks - jse
Contents
Malware Analysis of Kimsuky's Attacks - jse
Latest Research|January 9, 2025
JSE file is a JavaScript Encoded file extension, an encrypted or encoded version of a JS file (JavaScript file) used to protect the source code of a script from unauthorised viewing and modification. The malicious sample releases the jpg file as well as encrypted powershell script through the obfuscated js script, and after executing the powershell script, it will release the VMP-hulled PE file to achieve C&C remote control. The whole flowchart is shown below:
Analysing the jse file revealed a large amount of obfuscated code and encrypted data.
By de-obfuscating and omitting the encrypted data (where the data is too large to avoid interfering with the use of ... is omitted) as shown below:
Main function: release open jpg as well as bgn9jPn.g6Ky (base64 encrypted data), then use powershell to decrypt the bgn9jPn.g6Ky data file and save it to jB2OWAx.lEKR (exe type).
Eventually, jB2OWAx.lEKR …
Latest Research|January 9, 2025
JSE file is a JavaScript Encoded file extension, an encrypted or encoded version of a JS file (JavaScript file) used to protect the source code of a script from unauthorised viewing and modification. The malicious sample releases the jpg file as well as encrypted powershell script through the obfuscated js script, and after executing the powershell script, it will release the VMP-hulled PE file to achieve C&C remote control. The whole flowchart is shown below:
Analysing the jse file revealed a large amount of obfuscated code and encrypted data.
By de-obfuscating and omitting the encrypted data (where the data is too large to avoid interfering with the use of ... is omitted) as shown below:
Main function: release open jpg as well as bgn9jPn.g6Ky (base64 encrypted data), then use powershell to decrypt the bgn9jPn.g6Ky data file and save it to jB2OWAx.lEKR (exe type).
Eventually, jB2OWAx.lEKR …