Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
A phishing email delivered a malicious JavaScript file inside a RAR archive, kicking off an infection chain that ends with the execution of Formbook malware. Once launched, the script writes multiple files into the public folder, establishes persistence through a scheduled task, and starts a PowerShell payload that decrypts AES-encrypted content to load a malicious .NET DLL. That DLL is then injected into an MSBuild.exe process, where it continues execution and deploys the final malware stage. The campaign also incorporates several defense-evasion methods, including patching ETW and AMSI to reduce detection.
Investigation
During analysis, researchers identified the JavaScript dropper cbmjlzan.JS, along with a scheduled task configured to run the copied script every fifteen minutes for persistence. They also traced the PowerShell command responsible for decoding base64-encoded data hidden inside image files. The decrypted content revealed a .NET DLL that was injected into MSBuild.exe and used to deliver Formbook. Additional indicators, including file paths, task names, and cryptographic material, were extracted to support deeper investigation and detection development.
Mitigation
Organizations should block execution of untrusted JavaScript files and PowerShell scripts launched from user-accessible directories, while closely monitoring for scheduled tasks created with unusual or random-looking names. Execution controls should be applied to MSBuild.exe to prevent abuse in malware chains. Security tooling should also detect DLL injection behavior, ETW and AMSI tampering, and known Formbook-related signatures. User awareness training remains important to reduce the risk posed by phishing attachments.
Response
Defenders should generate alerts when the identified JavaScript file or related scheduled task appears, then isolate the affected endpoint and collect volatile evidence for analysis. The malicious files should be removed, the scheduled task deleted, and the injected DLL examined in full to understand the complete execution flow. Any compromised system components should be rebuilt or restored to ensure integrity. Relevant IOCs should also be shared with the wider security community to help others detect similar activity.
"graph TB %% Class definitions classDef action fill:#ffcccc classDef tool fill:#99ccff classDef process fill:#ffff99 classDef file fill:#ccffcc classDef malware fill:#ffcc99 %% Nodes email_phishing["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/>Malicious RAR attachment delivered via eu2011mail"] class email_phishing action tool_wsh["<b>Tool</b> – <b>Name</b>: Windows Script Host (JavaScript)<br/><b>Technique</b>: T1559.001 Component Object Model"] class tool_wsh tool action_copy["<b>Action</b> – <b>T1559.001 Component Object Model</b><br/>Script copies itself to C:\Users\Public\Libraries"] class action_copy action action_sched["<b>Action</b> – <b>T1053 Scheduled Task/Job</b><br/>Creates a scheduled task for persistence"] class action_sched action tool_ps["<b>Tool</b> – <b>Name</b>: PowerShell<br/><b>Technique</b>: T1059.001 Command and Scripting Interpreter"] class tool_ps tool action_decode["<b>Action</b> – <b>T1027.004 Compile After Delivery</b> & <b>T1140 Deobfuscate/Decode Files</b><br/>Base64 decode and AES decryption of encrypted blobs"] class action_decode action action_patch["<b>Action</b> – <b>T1027.005 Indicator Removal from Tools</b><br/>Liveu2011patches ETW and AMSI to bypass detection"] class action_patch action file_dll["<b>File</b> – <b>Name</b>: Orio.png (contains encrypted .NET DLL)<br/><b>Technique</b>: Hidden payload"] class file_dll file process_msbuild["<b>Process</b> – <b>Name</b>: msbuild.exe<br/><b>Technique</b>: T1127.001 Trusted Developer Utilities Proxy Execution"] class process_msbuild process action_inject["<b>Action</b> – <b>T1055.001 Process Injection</b><br/>Injects decrypted DLL into msbuild.exe"] class action_inject action malware_formbook["<b>Malware</b> – <b>Name</b>: Formbook<br/><b>Source</b>: Brio.png embedded payload"] class malware_formbook malware %% Edges / Flow email_phishing –>|delivers| tool_wsh tool_wsh –>|uses COM to| action_copy action_copy –>|leads to| action_sched tool_wsh –>|launches| tool_ps tool_ps –>|executes| action_decode tool_ps –>|applies| action_patch action_decode –>|produces| file_dll action_patch –>|prepares environment for| file_dll file_dll –>|loaded by| process_msbuild process_msbuild –>|receives| action_inject action_inject –>|extracts final payload from| malware_formbook "
Attack Flow
Detections
Suspicious Powershell Strings (via cmdline)
View
Suspicious Powershell Strings (via powershell)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Execution from Public User Profile (via process_creation)
View
Call Suspicious .NET Methods from Powershell (via powershell)
View
Suspicious Files in Public User Profile (via file_event)
View
Obfuscated JavaScript Persistence and Malicious Payload Injection [Windows Process Creation]
View
Execution of Obfuscated PowerShell for Decryption [Windows Powershell]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
An attacker who has breached a low‑privilege account wishes to download a malicious payload that is stored as a Base64 string in a compromised script repository. To avoid detection, the attacker crafts a single PowerShell one‑liner that (1) decodes the Base64 string, (2) invokes it viaiex, and (3) creates an AES object to decrypt further embedded data. The exact command line is written to match the rule’s literals.```powershell C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(('REPLACED_STRING'.Replace('VFHDVXDJCF',''))))) ; $aes_var = [System.Security.Cryptography.Aes]::Create() ```- The attacker replaces
REPLACED_STRINGwith a legitimate Base64 payload after stripping a known marker (VFHDVXDJCF). - The
-Noexit -nop -cswitches suppress prompts and execution policy bypass, matching the detection condition. - The
$aes_varvariable name is kept literal to satisfy the second selection clause.
- The attacker replaces
-
Regression Test Script: The following PowerShell script reproduces the exact command line in a controlled way, ensuring the SIEM receives identical telemetry.
# Regression Test Script – triggers detection $payload = "U2FtcGxlIEJhc2U2NCBTdHJpbmc=" # "Sample Base64 String" $marker = "VFHDVXDJCF" $obfuscated = $payload.Replace($marker, "") # simulate the .Replace used in detection $command = @" C:WindowsSystem32WindowsPowerShellv1.0powershell.exe -Noexit -nop -c iex([Text.Encoding]::Unicode.GetString([Convert]::FromBase64String(('${obfuscated}'.Replace('VFHDVXDJCF',''))))) ; $aes_var = [System.Security.Cryptography.Aes]::Create() "@ # Execute the crafted command line Invoke-Expression $command -
Cleanup Commands: Remove any lingering AES objects and stop the spawned PowerShell session.
# Cleanup – terminate the child PowerShell process if still running Get-Process -Name powershell -ErrorAction SilentlyContinue | Where-Object { $_.Path -like "*WindowsPowerShellv1.0powershell.exe" } | Stop-Process -Force # Optionally clear any temporary variables Remove-Variable -Name payload, marker, obfuscated, command -ErrorAction SilentlyContinue