SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jssloader (Back to overview)

JSSLoader

Actor(s): Anunak


There is no description at this point.

References
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker
2022-04-25MorphisecMorphisec Labs
@online{labs:20220425:new:7b1c795, author = {Morphisec Labs}, title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}}, date = {2022-04-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor}, language = {English}, urldate = {2022-04-29} } New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-04MandiantBryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-04-06} } FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon POWERPLANT POWERTRASH BOATLAUNCH Cobalt Strike JSSLoader
2022-03-24Bleeping ComputerBill Toulas
@online{toulas:20220324:malicious:560c659, author = {Bill Toulas}, title = {{Malicious Microsoft Excel add-ins used to deliver RAT malware}}, date = {2022-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/}, language = {English}, urldate = {2022-03-25} } Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader
2022-03-23MorphisecHido Cohen
@online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } New JSSLoader Trojan Delivered Through XLL Files
JSSLoader
2022-03-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220308:excel:0f4e5c9, author = {Counter Threat Unit ResearchTeam}, title = {{Excel Add-ins Deliver JSSLoader Malware}}, date = {2022-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware}, language = {English}, urldate = {2022-03-22} } Excel Add-ins Deliver JSSLoader Malware
JSSLoader
2021-11-11splunkSplunk Threat Research Team
@online{team:20211111:fin7:cd0d233, author = {Splunk Threat Research Team}, title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}}, date = {2021-11-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html}, language = {English}, urldate = {2021-11-12} } FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-24ProofpointDennis Schwarz, Matthew Mesa, Crista Giering
@online{schwarz:20210624:jssloader:ab99f14, author = {Dennis Schwarz and Matthew Mesa and Crista Giering}, title = {{JSSLoader: Recoded and Reloaded}}, date = {2021-06-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded}, language = {English}, urldate = {2021-06-25} } JSSLoader: Recoded and Reloaded
JSSLoader
2021-01-04MorphisecArnold Osipov
@techreport{osipov:20210104:threat:b875307, author = {Arnold Osipov}, title = {{Threat Profile the Evolution of the FIN7 JSSLoader}}, date = {2021-01-04}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf}, language = {English}, urldate = {2021-01-05} } Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader
Yara Rules
[TLP:WHITE] win_jssloader_auto (20220411 | Detects win.jssloader.)
rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f10856cfdffff c7401000000000 c6856cfdffff00 0f1100 c78594fdffff00000000 }
            // n = 5, score = 200
            //   0f10856cfdffff       | movups              xmm0, xmmword ptr [ebp - 0x294]
            //   c7401000000000       | mov                 dword ptr [eax + 0x10], 0
            //   c6856cfdffff00       | mov                 byte ptr [ebp - 0x294], 0
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   c78594fdffff00000000     | mov    dword ptr [ebp - 0x26c], 0

        $sequence_1 = { 0f8768060000 e9???????? e8???????? 8bc8 c645fc07 8b7114 8bc6 }
            // n = 7, score = 200
            //   0f8768060000         | ja                  0x66e
            //   e9????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   8b7114               | mov                 esi, dword ptr [ecx + 0x14]
            //   8bc6                 | mov                 eax, esi

        $sequence_2 = { 660f289820a84300 660f2835???????? 660f59cf 660f58d1 }
            // n = 4, score = 200
            //   660f289820a84300     | movapd              xmm3, xmmword ptr [eax + 0x43a820]
            //   660f2835????????     |                     
            //   660f59cf             | mulpd               xmm1, xmm7
            //   660f58d1             | addpd               xmm2, xmm1

        $sequence_3 = { 68???????? 6a00 c785f0feffff00000000 c785f4feffff0f000000 c685e0feffff00 ff15???????? 8d4b04 }
            // n = 7, score = 200
            //   68????????           |                     
            //   6a00                 | push                0
            //   c785f0feffff00000000     | mov    dword ptr [ebp - 0x110], 0
            //   c785f4feffff0f000000     | mov    dword ptr [ebp - 0x10c], 0xf
            //   c685e0feffff00       | mov                 byte ptr [ebp - 0x120], 0
            //   ff15????????         |                     
            //   8d4b04               | lea                 ecx, dword ptr [ebx + 4]

        $sequence_4 = { 51 e8???????? 83c408 8b85bcfeffff c745ac00000000 c745b00f000000 c6459c00 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b85bcfeffff         | mov                 eax, dword ptr [ebp - 0x144]
            //   c745ac00000000       | mov                 dword ptr [ebp - 0x54], 0
            //   c745b00f000000       | mov                 dword ptr [ebp - 0x50], 0xf
            //   c6459c00             | mov                 byte ptr [ebp - 0x64], 0

        $sequence_5 = { 8d4dc0 e8???????? 8b5dd0 c645fc03 8d55c0 837dd410 8d8de8feffff }
            // n = 7, score = 200
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]
            //   e8????????           |                     
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d55c0               | lea                 edx, dword ptr [ebp - 0x40]
            //   837dd410             | cmp                 dword ptr [ebp - 0x2c], 0x10
            //   8d8de8feffff         | lea                 ecx, dword ptr [ebp - 0x118]

        $sequence_6 = { 83f81f 0f872b010000 52 51 e8???????? 83c408 837e1410 }
            // n = 7, score = 200
            //   83f81f               | cmp                 eax, 0x1f
            //   0f872b010000         | ja                  0x131
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10

        $sequence_7 = { c1fa06 8bce 83e13f 6bc938 8b0495701d4400 c644082801 8b0495701d4400 }
            // n = 7, score = 200
            //   c1fa06               | sar                 edx, 6
            //   8bce                 | mov                 ecx, esi
            //   83e13f               | and                 ecx, 0x3f
            //   6bc938               | imul                ecx, ecx, 0x38
            //   8b0495701d4400       | mov                 eax, dword ptr [edx*4 + 0x441d70]
            //   c644082801           | mov                 byte ptr [eax + ecx + 0x28], 1
            //   8b0495701d4400       | mov                 eax, dword ptr [edx*4 + 0x441d70]

        $sequence_8 = { 03f0 56 e8???????? 8b8534ffffff 83c40c 8b8d54feffff }
            // n = 6, score = 200
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b8534ffffff         | mov                 eax, dword ptr [ebp - 0xcc]
            //   83c40c               | add                 esp, 0xc
            //   8b8d54feffff         | mov                 ecx, dword ptr [ebp - 0x1ac]

        $sequence_9 = { 57 8b7d08 eb6f 8b07 8d1c85581a4400 8b33 85f6 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   eb6f                 | jmp                 0x71
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8d1c85581a4400       | lea                 ebx, dword ptr [eax*4 + 0x441a58]
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   85f6                 | test                esi, esi

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules