The main function of the obfuscated Jscript is to decode the main payload and launch it in the memory. Below is the de-obfuscated and the beautified code:
The DLL Payload
The payload is a .NET DLL (managed code) that contains a class named jSfMMrZfotrr.
Figure 3. DLL file .NET assemblies
The main purpose of this DLL is the following:
Add .JS and .EXE file extensions into Microsoft Defender’s exclusion list. Evade the Microsoft Antimalware Scan Interface (AMSI) DLL so that it will not scan t…