SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jessiecontea (Back to overview)

JessieConTea

Actor(s): Lazarus Group

VTCollection    

JessieConTea is a remote access trojan that uses HTTP(S) for communication. It supports around 30 commands that include operations on the victim’s filesystem, basic process management, file exfiltration (both plain and zipped), and the download and execution of additional tools from the attacker’s arsenal. The commands are indexed by 32-bit integers, starting with the value 0x60D49D97.

The malware was delivered in-the-wild via trojanized applications like DeFi Wallet or Citrix Workspace.

JessieConTea generates POST parameters with a specific parameter name, jsessid, from which the initial part of its name is derived. Also, it contains a specific RTTI symbol ".?AVCHttpConn@@", which inspired the second part of the name. It uses RC4 for C&C traffic encryption.

References
2023-10-13AhnLabASEC Analysis Team
Analysis Report on Lazarus Threat Group’s Volgmer and Scout Malware
JessieConTea Scout Volgmer
2022-03-31KasperskyGReAT
Lazarus Trojanized DeFi app for delivering malware
JessieConTea LCPDot
2021-04-01AhnLabASEC Analysis Team
ASEC REPORT VOL.102 Q1 2021
ComeBacker JessieConTea LCPDot
2019-01-30Cisco TalosEdmund Brumaghin, Jungsoo An, Paul Rascagnères
Fake Cisco Job Posting Targets Korean Candidates
CoreDN JessieConTea
Yara Rules
[TLP:WHITE] win_jessiecontea_auto (20260504 | Detects win.jessiecontea.)
rule win_jessiecontea_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.jessiecontea."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jessiecontea"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 6a00 50 e8???????? 83c424 56 6a00 6810040000 }
            // n = 7, score = 300
            //   6a00                 | push                0
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c424               | add                 esp, 0x24
            //   56                   | push                esi
            //   6a00                 | push                0
            //   6810040000           | push                0x410

        $sequence_1 = { bb01000000 57 8bfa 898d84fbffff 57 }
            // n = 5, score = 300
            //   bb01000000           | mov                 ebx, 1
            //   57                   | push                edi
            //   8bfa                 | mov                 edi, edx
            //   898d84fbffff         | mov                 dword ptr [ebp - 0x47c], ecx
            //   57                   | push                edi

        $sequence_2 = { 57 89bd8cfbffff 898590fbffff ffd6 }
            // n = 4, score = 300
            //   57                   | push                edi
            //   89bd8cfbffff         | mov                 dword ptr [ebp - 0x474], edi
            //   898590fbffff         | mov                 dword ptr [ebp - 0x470], eax
            //   ffd6                 | call                esi

        $sequence_3 = { 50 ff15???????? 8d85d8fbffff 8bd7 }
            // n = 4, score = 300
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8d85d8fbffff         | lea                 eax, [ebp - 0x428]
            //   8bd7                 | mov                 edx, edi

        $sequence_4 = { b900010000 8db5f8f3ffff 8dbdf8fbffff f3a5 }
            // n = 4, score = 300
            //   b900010000           | mov                 ecx, 0x100
            //   8db5f8f3ffff         | lea                 esi, [ebp - 0xc08]
            //   8dbdf8fbffff         | lea                 edi, [ebp - 0x408]
            //   f3a5                 | rep movsd           dword ptr es:[edi], dword ptr [esi]

        $sequence_5 = { 83c420 85c0 0f843effffff 68???????? }
            // n = 4, score = 300
            //   83c420               | add                 esp, 0x20
            //   85c0                 | test                eax, eax
            //   0f843effffff         | je                  0xffffff44
            //   68????????           |                     

        $sequence_6 = { 83c261 668956fe 66833e00 75e8 }
            // n = 4, score = 300
            //   83c261               | add                 edx, 0x61
            //   668956fe             | mov                 word ptr [esi - 2], dx
            //   66833e00             | cmp                 word ptr [esi], 0
            //   75e8                 | jne                 0xffffffea

        $sequence_7 = { 50 e8???????? 83c40c 8d85f8fbffff 50 6804010000 }
            // n = 6, score = 300
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c40c               | add                 esp, 0xc
            //   8d85f8fbffff         | lea                 eax, [ebp - 0x408]
            //   50                   | push                eax
            //   6804010000           | push                0x104

        $sequence_8 = { 488b4de8 ff15???????? 488b4de0 33d2 ff15???????? }
            // n = 5, score = 100
            //   488b4de8             | movzx               eax, word ptr [eax + ecx]
            //   ff15????????         |                     
            //   488b4de0             | dec                 esp
            //   33d2                 | mov                 dword ptr [esp + 0x12d0], edi
            //   ff15????????         |                     

        $sequence_9 = { 6690 8d4701 4c8d0c40 8bc7 }
            // n = 4, score = 100
            //   6690                 | inc                 esp
            //   8d4701               | mov                 edi, dword ptr [esp + 0x70]
            //   4c8d0c40             | mov                 dword ptr [esp + 0x20], 4
            //   8bc7                 | mov                 dword ptr [esp + 0x50], 0x60d49d95

        $sequence_10 = { 4533c9 4533c0 c744242003000000 ba00000040 ff15???????? 4533c9 }
            // n = 6, score = 100
            //   4533c9               | inc                 ebp
            //   4533c0               | xor                 ecx, ecx
            //   c744242003000000     | inc                 ebp
            //   ba00000040           | xor                 eax, eax
            //   ff15????????         |                     
            //   4533c9               | mov                 dword ptr [esp + 0x20], 3

        $sequence_11 = { 0f284c2460 0f114020 0f28442470 0f114830 }
            // n = 4, score = 100
            //   0f284c2460           | xor                 edx, edx
            //   0f114020             | nop                 
            //   0f28442470           | lea                 eax, [edi + 1]
            //   0f114830             | dec                 esp

        $sequence_12 = { 4881c4a0120000 5f 5e 5d c3 }
            // n = 5, score = 100
            //   4881c4a0120000       | movsd               qword ptr [ebp - 0x20], xmm0
            //   5f                   | dec                 eax
            //   5e                   | mov                 ecx, dword ptr [ebp - 0x18]
            //   5d                   | dec                 eax
            //   c3                   | mov                 ecx, dword ptr [ebp - 0x20]

        $sequence_13 = { ff15???????? 488b0d???????? 4c8d442440 41b904000000 c744244020bf0200 }
            // n = 5, score = 100
            //   ff15????????         |                     
            //   488b0d????????       |                     
            //   4c8d442440           | lea                 ecx, [eax + eax*2]
            //   41b904000000         | mov                 eax, edi
            //   c744244020bf0200     | dec                 eax

        $sequence_14 = { 4c89bc24d0120000 448b7c2470 c744242004000000 c7442450959dd460 f20f1145e0 }
            // n = 5, score = 100
            //   4c89bc24d0120000     | lea                 eax, [edx + 0x7ffffff9]
            //   448b7c2470           | dec                 eax
            //   c744242004000000     | test                eax, eax
            //   c7442450959dd460     | je                  0x19
            //   f20f1145e0           | inc                 ecx

        $sequence_15 = { 488d82f9ffff7f 4885c0 7417 410fb70408 }
            // n = 4, score = 100
            //   488d82f9ffff7f       | mov                 edx, 0x40000000
            //   4885c0               | inc                 ebp
            //   7417                 | xor                 ecx, ecx
            //   410fb70408           | dec                 eax

    condition:
        7 of them and filesize < 413696
}
Download all Yara Rules