SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fishmaster (Back to overview)

FishMaster

aka: JollyJellyfish

Actor(s): Earth Lusca


A custom loader for CobaltStrike.

References
2021-12-15NCSC UKNCSC UK
@online{uk:20211215:jolly:bd0859a, author = {NCSC UK}, title = {{Jolly Jellyfish}}, date = {2021-12-15}, organization = {NCSC UK}, url = {https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E}, language = {English}, urldate = {2022-07-25} } Jolly Jellyfish
FishMaster Earth Lusca
2021-07-01Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2022-07-25} } Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster
Yara Rules
[TLP:WHITE] win_fishmaster_auto (20221125 | Detects win.fishmaster.)
rule win_fishmaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.fishmaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 488bd3 e8???????? 4d8bc4 488d153d140000 498bcf e8???????? 488d5501 }
            // n = 7, score = 100
            //   488bd3               | int3                
            //   e8????????           |                     
            //   4d8bc4               | dec                 eax
            //   488d153d140000       | mov                 ecx, ebp
            //   498bcf               | dec                 eax
            //   e8????????           |                     
            //   488d5501             | sub                 eax, ebp

        $sequence_1 = { 488d85f0070000 488945b8 488d85f0170000 488945f8 488d85f00f0000 488945d8 }
            // n = 6, score = 100
            //   488d85f0070000       | mov                 eax, dword ptr [edi]
            //   488945b8             | dec                 eax
            //   488d85f0170000       | lea                 ecx, [esp + 0x38]
            //   488945f8             | dec                 ecx
            //   488d85f00f0000       | cmp                 esi, 0x10
            //   488945d8             | dec                 eax

        $sequence_2 = { 8bbc2498000000 4180f82f 410f44fa c1ff04 c0e202 }
            // n = 5, score = 100
            //   8bbc2498000000       | dec                 eax
            //   4180f82f             | mov                 ecx, dword ptr [ebx + 0x10]
            //   410f44fa             | dec                 edx
            //   c1ff04               | movsx               eax, byte ptr [eax + 1]
            //   c0e202               | and                 eax, 0xf

        $sequence_3 = { eb0a 48b92700000000000080 e8???????? 4885c0 0f848f000000 4c8d7027 }
            // n = 6, score = 100
            //   eb0a                 | lea                 ebp, [ecx + 4]
            //   48b92700000000000080     | jmp    0x26c
            //   e8????????           |                     
            //   4885c0               | cmp                 cl, 0x2b
            //   0f848f000000         | lea                 eax, [ecx - 0x30]
            //   4c8d7027             | cmp                 al, 9

        $sequence_4 = { 8d41bf 3c19 7706 448d69bf eb2b 8d419f 3c19 }
            // n = 7, score = 100
            //   8d41bf               | cmp                 ecx, dword ptr [esp + 0x30]
            //   3c19                 | inc                 ecx
            //   7706                 | mov                 edx, 0x3f
            //   448d69bf             | jl                  0xfffffdb3
            //   eb2b                 | dec                 eax
            //   8d419f               | mov                 edx, dword ptr [esp + 0x38]
            //   3c19                 | dec                 esp

        $sequence_5 = { 488d0de5300000 0f57c0 488d5308 48890b 488d4808 0f1102 ff15???????? }
            // n = 7, score = 100
            //   488d0de5300000       | cmp                 dword ptr [esp + 0x58], 0x10
            //   0f57c0               | dec                 eax
            //   488d5308             | cmovae              eax, dword ptr [esp + 0x40]
            //   48890b               | dec                 eax
            //   488d4808             | lea                 ecx, [esp + 0x40]
            //   0f1102               | dec                 eax
            //   ff15????????         |                     

        $sequence_6 = { 488d054d2a0000 c3 8325????????00 c3 48895c2408 55 }
            // n = 6, score = 100
            //   488d054d2a0000       | and                 eax, 0xf
            //   c3                   | inc                 esp
            //   8325????????00       |                     
            //   c3                   | movzx               ecx, byte ptr [ecx + eax*4]
            //   48895c2408           | dec                 eax
            //   55                   | mov                 ecx, dword ptr [ebx + 0x10]

        $sequence_7 = { 8bea 4533e4 8b8424a8000000 83f801 0f85d5010000 }
            // n = 5, score = 100
            //   8bea                 | mov                 edx, dword ptr [esp + 0x38]
            //   4533e4               | mov                 ebp, edx
            //   8b8424a8000000       | dec                 esp
            //   83f801               | cmp                 esi, eax
            //   0f85d5010000         | ja                  0x407

        $sequence_8 = { 488d054d2a0000 c3 8325????????00 c3 48895c2408 }
            // n = 5, score = 100
            //   488d054d2a0000       | dec                 eax
            //   c3                   | cmovae              eax, dword ptr [esp + 0x40]
            //   8325????????00       |                     
            //   c3                   | dec                 eax
            //   48895c2408           | lea                 ecx, [esp + 0x40]

        $sequence_9 = { ff15???????? 488bf8 4c89742430 4489742428 4489742420 4533c9 4533c0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf8               | mov                 ecx, ebx
            //   4c89742430           | dec                 ecx
            //   4489742428           | cmp                 eax, 0x10
            //   4489742420           | jb                  0x1c6
            //   4533c9               | dec                 eax
            //   4533c0               | mov                 ecx, dword ptr [ebx]

    condition:
        7 of them and filesize < 812032
}
Download all Yara Rules