SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fishmaster (Back to overview)

FishMaster

aka: JollyJellyfish

Actor(s): Earth Lusca


A custom loader for CobaltStrike.

References
2021-12-16TEAMT5Charles Li, Aragorn Tseng, Peter Syu, Tom Lai
@online{li:20211216:winnti:adce3fa, author = {Charles Li and Aragorn Tseng and Peter Syu and Tom Lai}, title = {{Winnti is Coming - Evolution after Prosecution}}, date = {2021-12-16}, organization = {TEAMT5}, url = {https://speakerdeck.com/aragorntseng/winnti-is-coming-evolution-after-prosecution-at-hitcon2021}, language = {English}, urldate = {2023-04-28} } Winnti is Coming - Evolution after Prosecution
Cobalt Strike FishMaster FunnySwitch HIGHNOON ShadowPad Spyder
2021-12-15NCSC UKNCSC UK
@online{uk:20211215:jolly:bd0859a, author = {NCSC UK}, title = {{Jolly Jellyfish}}, date = {2021-12-15}, organization = {NCSC UK}, url = {https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E}, language = {English}, urldate = {2022-07-25} } Jolly Jellyfish
FishMaster Earth Lusca
2021-07-01Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2022-07-25} } Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster
Yara Rules
[TLP:WHITE] win_fishmaster_auto (20230715 | Detects win.fishmaster.)
rule win_fishmaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.fishmaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 66c704083d00 e9???????? 48c744242001000000 ba01000000 488bcb e8???????? }
            // n = 6, score = 100
            //   66c704083d00         | ja                  0x5b9
            //   e9????????           |                     
            //   48c744242001000000     | dec    ecx
            //   ba01000000           | mov                 edx, esi
            //   488bcb               | dec                 eax
            //   e8????????           |                     

        $sequence_1 = { 488b542440 7209 488d4206 4903c1 eb12 488d4c2440 488d442446 }
            // n = 7, score = 100
            //   488b542440           | mov                 ebp, dword ptr [esp + 0x98]
            //   7209                 | mov                 ebp, dword ptr [esp + 0x98]
            //   488d4206             | inc                 esp
            //   4903c1               | mov                 edi, dword ptr [esp + 0x98]
            //   eb12                 | inc                 esp
            //   488d4c2440           | mov                 esp, dword ptr [esp + 0x98]
            //   488d442446           | jle                 0x2b6

        $sequence_2 = { 4180f82f 410f44ff c1ff02 c0e204 400afa }
            // n = 5, score = 100
            //   4180f82f             | shl                 dl, 2
            //   410f44ff             | or                  cl, dl
            //   c1ff02               | dec                 ecx
            //   c0e204               | mov                 edx, dword ptr [esi + 0x10]
            //   400afa               | sar                 edi, 2

        $sequence_3 = { c7450000020000 c745c000020000 c745f000020000 c745d000020000 c7451000020000 }
            // n = 5, score = 100
            //   c7450000020000       | call                dword ptr [ebp - 0x68]
            //   c745c000020000       | mov                 ecx, 0x3e8
            //   c745f000020000       | dec                 eax
            //   c745d000020000       | lea                 eax, [ebp - 0x6c]
            //   c7451000020000       | dec                 eax

        $sequence_4 = { e8???????? 488bd8 448b8550200000 33d2 }
            // n = 4, score = 100
            //   e8????????           |                     
            //   488bd8               | je                  0xbc
            //   448b8550200000       | dec                 eax
            //   33d2                 | lea                 edi, [eax + 0x27]

        $sequence_5 = { 724a 488b1e 488bd3 e8???????? }
            // n = 4, score = 100
            //   724a                 | mov                 ecx, ebx
            //   488b1e               | dec                 eax
            //   488bd3               | mov                 ecx, ebx
            //   e8????????           |                     

        $sequence_6 = { 488d054d2a0000 c3 8325????????00 c3 48895c2408 55 }
            // n = 6, score = 100
            //   488d054d2a0000       | dec                 eax
            //   c3                   | cmp                 dword ptr [esp + 0x58], 0x10
            //   8325????????00       |                     
            //   c3                   | inc                 ecx
            //   48895c2408           | setae               al
            //   55                   | dec                 eax

        $sequence_7 = { 418d5601 33c9 ff15???????? c7855820000004000000 4489b540200000 4533c9 440fb745d4 }
            // n = 7, score = 100
            //   418d5601             | cmp                 cl, 0x2b
            //   33c9                 | jne                 0x49a
            //   ff15????????         |                     
            //   c7855820000004000000     | inc    esp
            //   4489b540200000       | mov                 edi, edi
            //   4533c9               | ja                  0x4a0
            //   440fb745d4           | inc                 esp

        $sequence_8 = { 4c897530 48c745380f000000 44887520 488d8580000000 49c7c0ffffffff 49ffc0 46383400 }
            // n = 7, score = 100
            //   4c897530             | je                  0x65f
            //   48c745380f000000     | dec                 eax
            //   44887520             | mov                 ecx, edx
            //   488d8580000000       | movzx               eax, byte ptr [eax]
            //   49c7c0ffffffff       | inc                 edx
            //   49ffc0               | mov                 byte ptr [ecx + ecx + 7], al
            //   46383400             | inc                 ecx

        $sequence_9 = { 8d71b9 eb1c 8d41d0 3c09 }
            // n = 4, score = 100
            //   8d71b9               | lea                 ecx, [ebp + 0x60]
            //   eb1c                 | nop                 
            //   8d41d0               | dec                 eax
            //   3c09                 | lea                 esi, [esp + 0x58]

    condition:
        7 of them and filesize < 812032
}
Download all Yara Rules