SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jlorat (Back to overview)

JLORAT


There is no description at this point.

References
2023-04-24Kaspersky LabsPierre Delcher, Ivan Kwiatkowski
@online{delcher:20230424:tomiris:2d65352, author = {Pierre Delcher and Ivan Kwiatkowski}, title = {{Tomiris called, they want their Turla malware back}}, date = {2023-04-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/tomiris-called-they-want-their-turla-malware-back/109552/}, language = {English}, urldate = {2023-04-26} } Tomiris called, they want their Turla malware back
KopiLuwak Andromeda Ave Maria GoldMax JLORAT Kazuar Meterpreter QUIETCANARY RATel Roopy Telemiris tomiris Topinambour
Yara Rules
[TLP:WHITE] win_jlorat_auto (20230715 | Detects win.jlorat.)
rule win_jlorat_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.jlorat."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jlorat"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e8???????? 660f6f8424f0030000 0f298424d0010000 0f28842450020000 0f288c24d0010000 0f289424c0010000 660f7f942410040000 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   660f6f8424f0030000     | movdqa    xmm0, xmmword ptr [esp + 0x3f0]
            //   0f298424d0010000     | movaps              xmmword ptr [esp + 0x1d0], xmm0
            //   0f28842450020000     | movaps              xmm0, xmmword ptr [esp + 0x250]
            //   0f288c24d0010000     | movaps              xmm1, xmmword ptr [esp + 0x1d0]
            //   0f289424c0010000     | movaps              xmm2, xmmword ptr [esp + 0x1c0]
            //   660f7f942410040000     | movdqa    xmmword ptr [esp + 0x410], xmm2

        $sequence_1 = { f20f1101 8b4de8 64890d00000000 83c474 5e 5f 5b }
            // n = 7, score = 200
            //   f20f1101             | movsd               qword ptr [ecx], xmm0
            //   8b4de8               | mov                 ecx, dword ptr [ebp - 0x18]
            //   64890d00000000       | mov                 dword ptr fs:[0], ecx
            //   83c474               | add                 esp, 0x74
            //   5e                   | pop                 esi
            //   5f                   | pop                 edi
            //   5b                   | pop                 ebx

        $sequence_2 = { e8???????? 89442440 8b442440 83c008 89442430 c744244400000000 8b4c2444 }
            // n = 7, score = 200
            //   e8????????           |                     
            //   89442440             | mov                 dword ptr [esp + 0x40], eax
            //   8b442440             | mov                 eax, dword ptr [esp + 0x40]
            //   83c008               | add                 eax, 8
            //   89442430             | mov                 dword ptr [esp + 0x30], eax
            //   c744244400000000     | mov                 dword ptr [esp + 0x44], 0
            //   8b4c2444             | mov                 ecx, dword ptr [esp + 0x44]

        $sequence_3 = { c74008???????? c7400421000000 c700???????? e8???????? 0f0b 8b4c2438 8b44245c }
            // n = 7, score = 200
            //   c74008????????       |                     
            //   c7400421000000       | mov                 dword ptr [eax + 4], 0x21
            //   c700????????         |                     
            //   e8????????           |                     
            //   0f0b                 | ud2                 
            //   8b4c2438             | mov                 ecx, dword ptr [esp + 0x38]
            //   8b44245c             | mov                 eax, dword ptr [esp + 0x5c]

        $sequence_4 = { e8???????? eb21 c745f008000000 89e0 8d8d60ffffff 894804 8d8d74ffffff }
            // n = 7, score = 200
            //   e8????????           |                     
            //   eb21                 | jmp                 0x23
            //   c745f008000000       | mov                 dword ptr [ebp - 0x10], 8
            //   89e0                 | mov                 eax, esp
            //   8d8d60ffffff         | lea                 ecx, [ebp - 0xa0]
            //   894804               | mov                 dword ptr [eax + 4], ecx
            //   8d8d74ffffff         | lea                 ecx, [ebp - 0x8c]

        $sequence_5 = { eb80 8b2c24 83fb0a 83df00 733f 8b54242c 8b742404 }
            // n = 7, score = 200
            //   eb80                 | jmp                 0xffffff82
            //   8b2c24               | mov                 ebp, dword ptr [esp]
            //   83fb0a               | cmp                 ebx, 0xa
            //   83df00               | sbb                 edi, 0
            //   733f                 | jae                 0x41
            //   8b54242c             | mov                 edx, dword ptr [esp + 0x2c]
            //   8b742404             | mov                 esi, dword ptr [esp + 4]

        $sequence_6 = { eb00 8b45b4 8b4db8 c645e201 894dc4 c645e101 8945c8 }
            // n = 7, score = 200
            //   eb00                 | jmp                 2
            //   8b45b4               | mov                 eax, dword ptr [ebp - 0x4c]
            //   8b4db8               | mov                 ecx, dword ptr [ebp - 0x48]
            //   c645e201             | mov                 byte ptr [ebp - 0x1e], 1
            //   894dc4               | mov                 dword ptr [ebp - 0x3c], ecx
            //   c645e101             | mov                 byte ptr [ebp - 0x1f], 1
            //   8945c8               | mov                 dword ptr [ebp - 0x38], eax

        $sequence_7 = { f7e1 89c1 8a842417010000 01f2 89942418010000 0f92c4 08e0 }
            // n = 7, score = 200
            //   f7e1                 | mul                 ecx
            //   89c1                 | mov                 ecx, eax
            //   8a842417010000       | mov                 al, byte ptr [esp + 0x117]
            //   01f2                 | add                 edx, esi
            //   89942418010000       | mov                 dword ptr [esp + 0x118], edx
            //   0f92c4               | setb                ah
            //   08e0                 | or                  al, ah

        $sequence_8 = { eb00 f645d901 0f854e030000 e9???????? 8a8583feffff a801 7553 }
            // n = 7, score = 200
            //   eb00                 | jmp                 2
            //   f645d901             | test                byte ptr [ebp - 0x27], 1
            //   0f854e030000         | jne                 0x354
            //   e9????????           |                     
            //   8a8583feffff         | mov                 al, byte ptr [ebp - 0x17d]
            //   a801                 | test                al, 1
            //   7553                 | jne                 0x55

        $sequence_9 = { 8b8ea0030000 8b86a4030000 898e000c0000 8986040c0000 8b86840a0000 89465c 8b86000c0000 }
            // n = 7, score = 200
            //   8b8ea0030000         | mov                 ecx, dword ptr [esi + 0x3a0]
            //   8b86a4030000         | mov                 eax, dword ptr [esi + 0x3a4]
            //   898e000c0000         | mov                 dword ptr [esi + 0xc00], ecx
            //   8986040c0000         | mov                 dword ptr [esi + 0xc04], eax
            //   8b86840a0000         | mov                 eax, dword ptr [esi + 0xa84]
            //   89465c               | mov                 dword ptr [esi + 0x5c], eax
            //   8b86000c0000         | mov                 eax, dword ptr [esi + 0xc00]

    condition:
        7 of them and filesize < 10952704
}
Download all Yara Rules