SYMBOLCOMMON_NAMEaka. SYNONYMS
win.fishmaster (Back to overview)

FishMaster

aka: JollyJellyfish

Actor(s): Earth Lusca


A custom loader for CobaltStrike.

References
2021-12-15NCSC UKNCSC UK
@online{uk:20211215:jolly:bd0859a, author = {NCSC UK}, title = {{Jolly Jellyfish}}, date = {2021-12-15}, organization = {NCSC UK}, url = {https://media-exp1.licdn.com/dms/document/C561FAQHhWFRcWmdCPw/feedshare-document-pdf-analyzed/0/1639591145314?e=1658966400&v=beta&t=_uCcyEVg6b_VDiBTvWQIXtBOdQ1GQAAydqGyq62KA3E}, language = {English}, urldate = {2022-07-25} } Jolly Jellyfish
FishMaster Earth Lusca
2021-07-01Avast DecodedLuigino Camastra, Igor Morgenstern, Jan Vojtěšek
@online{camastra:20210701:backdoored:6f26c16, author = {Luigino Camastra and Igor Morgenstern and Jan Vojtěšek}, title = {{Backdoored Client from Mongolian CA MonPass}}, date = {2021-07-01}, organization = {Avast Decoded}, url = {https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/}, language = {English}, urldate = {2022-07-25} } Backdoored Client from Mongolian CA MonPass
Cobalt Strike FishMaster
Yara Rules
[TLP:WHITE] win_fishmaster_auto (20230125 | Detects win.fishmaster.)
rule win_fishmaster_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.fishmaster."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.fishmaster"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4883f81f 7736 498bc8 e8???????? 48c7471000000000 }
            // n = 5, score = 100
            //   4883f81f             | mov                 dword ptr [ebx], eax
            //   7736                 | dec                 eax
            //   498bc8               | mov                 eax, ebx
            //   e8????????           |                     
            //   48c7471000000000     | movups              xmmword ptr [edx], xmm0

        $sequence_1 = { 3d00040000 7309 33c9 ff15???????? cc }
            // n = 5, score = 100
            //   3d00040000           | inc                 esp
            //   7309                 | mov                 dword ptr [esp + 0x28], esi
            //   33c9                 | mov                 dword ptr [esp + 0x20], 3
            //   ff15????????         |                     
            //   cc                   | jbe                 0x1a5

        $sequence_2 = { 7203 4c8b03 8d45ff 4863c8 }
            // n = 4, score = 100
            //   7203                 | dec                 eax
            //   4c8b03               | mov                 ecx, ebx
            //   8d45ff               | dec                 eax
            //   4863c8               | mov                 eax, dword ptr [ebx + 0x18]

        $sequence_3 = { 482bc2 4c3bf0 7729 4a8d0432 488bd9 483bc8 480f42d8 }
            // n = 7, score = 100
            //   482bc2               | dec                 eax
            //   4c3bf0               | lea                 edx, [ebx + 8]
            //   7729                 | inc                 eax
            //   4a8d0432             | push                ebx
            //   488bd9               | dec                 eax
            //   483bc8               | sub                 esp, 0x20
            //   480f42d8             | dec                 eax

        $sequence_4 = { 488d85f0130000 488945e8 488d85f0070000 488945b8 }
            // n = 4, score = 100
            //   488d85f0130000       | mov                 eax, dword ptr [esi]
            //   488945e8             | inc                 eax
            //   488d85f0070000       | mov                 byte ptr [eax + ecx], bh
            //   488945b8             | dec                 eax

        $sequence_5 = { 488b4b10 488b5318 488bc2 482bc1 4883f801 721f }
            // n = 6, score = 100
            //   488b4b10             | mov                 dword ptr [esp + 0x20], esi
            //   488b5318             | dec                 esp
            //   488bc2               | lea                 ecx, [0x20b1]
            //   482bc1               | dec                 esp
            //   4883f801             | mov                 eax, dword ptr [ebp - 8]
            //   721f                 | mov                 dword ptr [esp + 0x30], 1

        $sequence_6 = { 80f92b 750c 448bc7 89bc24a0000000 }
            // n = 4, score = 100
            //   80f92b               | lea                 ecx, [0x2c92]
            //   750c                 | test                eax, eax
            //   448bc7               | je                  0x641
            //   89bc24a0000000       | dec                 eax

        $sequence_7 = { 4883e0e0 488948f8 eb15 ff15???????? cc 4885c9 7407 }
            // n = 7, score = 100
            //   4883e0e0             | dec                 ecx
            //   488948f8             | mov                 edx, dword ptr [esi + 0x10]
            //   eb15                 | dec                 ebp
            //   ff15????????         |                     
            //   cc                   | mov                 eax, dword ptr [esi + 0x18]
            //   4885c9               | dec                 ecx
            //   7407                 | cmp                 edx, eax

        $sequence_8 = { 410fbe4c0103 8d41bf 3c19 7705 8d71bf }
            // n = 5, score = 100
            //   410fbe4c0103         | mov                 ecx, eax
            //   8d41bf               | dec                 esp
            //   3c19                 | mov                 dword ptr [ebx], esi
            //   7705                 | ja                  0x317
            //   8d71bf               | dec                 edx

        $sequence_9 = { ff15???????? 488bf8 4c89742430 4489742428 4489742420 4533c9 4533c0 }
            // n = 7, score = 100
            //   ff15????????         |                     
            //   488bf8               | dec                 eax
            //   4c89742430           | cmp                 ecx, edx
            //   4489742428           | jae                 0xd9
            //   4489742420           | and                 eax, 0xf
            //   4533c9               | inc                 esp
            //   4533c0               | movzx               ecx, byte ptr [ecx + eax*4]

    condition:
        7 of them and filesize < 812032
}
Download all Yara Rules