win.jason (Back to overview)


Actor(s): OilRig

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.

2020-02-13QianxinQi Anxin Threat Intelligence Center
@techreport{center:20200213:report:146d333, author = {Qi Anxin Threat Intelligence Center}, title = {{APT Report 2019}}, date = {2020-02-13}, institution = {Qianxin}, url = {}, language = {English}, urldate = {2020-02-27} } APT Report 2019
Chrysaor Exodus Dacls elf.vpnfilter DNSRat Griffon KopiLuwak More_eggs SQLRat AppleJeus BONDUPDATER Agent.BTZ Anchor AndroMut AppleJeus BOOSTWRITE Brambul Carbanak Cobalt Strike Dacls DistTrack DNSpionage Dtrack ELECTRICFISH FlawedAmmyy FlawedGrace Get2 Grateful POS HOPLIGHT Imminent Monitor RAT jason Joanap KerrDown KEYMARBLE Lambert LightNeuron LoJax MiniDuke PolyglotDuke PowerRatankba Rising Sun SDBbot ServHelper Snatch Stuxnet TinyMet tRat TrickBot Volgmer X-Agent Zebrocy
@online{secureworks:2020:cobalt:ce31320, author = {SecureWorks}, title = {{COBALT GYPSY}}, date = {2020}, organization = {Secureworks}, url = {}, language = {English}, urldate = {2020-05-23} } COBALT GYPSY
TwoFace MacDownloader BONDUPDATER pupy Helminth jason RGDoor TinyZbot OilRig
2019-06-06Marco Ramilli
@online{ramilli:20190606:apt34:e2dbe80, author = {Marco Ramilli}, title = {{APT34: Jason project}}, date = {2019-06-06}, url = {}, language = {English}, urldate = {2020-01-07} } APT34: Jason project
2019-06-03Twitter (@P3pperP0tts)Pepper Potts
@online{potts:20190603:apt34:d5442c2, author = {Pepper Potts}, title = {{Tweet on APT34}}, date = {2019-06-03}, organization = {Twitter (@P3pperP0tts)}, url = {}, language = {English}, urldate = {2020-01-13} } Tweet on APT34
Yara Rules
[TLP:WHITE] win_jason_w0 (20191029 | APT34 Jason)
rule win_jason_w0 {
      description = "APT34 Jason"
      date = "2019-06-05"
      hash1 = "9762444b94fa6cc5a25c79c487bbf97e007cb680118afeab0f5643d211fa3f78"
      author = "marcoramilli"
      malpedia_reference = ""
      malpedia_version = "20191029"
      malpedia_license = "CC BY-NC-SA 4.0"
      malpedia_sharing = "TLP:WHITE"
      $s1 = "lSystem.Resources.ResourceReader, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.R" ascii
      $s2 = "D:\\Project\\Jason\\obj\\Release\\Jason.pdb" fullword ascii
      $s3 = "Jason.exe" fullword wide
      $s4 = "get_PasswordPattern" fullword ascii
      $s5 = "get_PasswordFile" fullword ascii
      $s6 = "get_pCurrentPassword" fullword ascii
      $s7 = "Microsoft.Exchange.WebServices.Data" fullword ascii
      $s8 = "Total Login Successful :" fullword wide
      $s9 = "Login Successful" fullword wide
      $s10 = "<PasswordPattern>k__BackingField" fullword ascii
      $s11 = "<pCurrentPassword>k__BackingField" fullword ascii
      $s12 = "Jason - Exchange Mail BF - v 7.0" fullword wide
      $s13 = "Please enter Password File" fullword wide
      $s14 = "get_UsernameStart" fullword ascii
      $s15 = "get_UserPassFile" fullword ascii
      $s16 = "get_pCurrentUsername" fullword ascii
      $s17 = "set_pCurrentPassword" fullword ascii
      $s18 = "set_PasswordFile" fullword ascii
      $s19 = "set_PasswordPattern" fullword ascii
      $s20 = "connection was closed" fullword wide
      uint16(0) == 0x5a4d and filesize < 100KB and
      8 of them
Download all Yara Rules