SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jssloader (Back to overview)

JSSLoader

Actor(s): Anunak

There is no description at this point.

References
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:threat:791daf7, author = {Threat Intelligence Team}, title = {{Threat Intelligence - JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni}, language = {English}, urldate = {2022-08-19} } Threat Intelligence - JSSLoader: the shellcode edition
JSSLoader
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:jssloader:8dde76b, author = {Threat Intelligence Team}, title = {{JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition}, language = {English}, urldate = {2022-08-19} } JSSLoader: the shellcode edition
JSSLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-25MorphisecMorphisec Labs
@online{labs:20220425:new:7b1c795, author = {Morphisec Labs}, title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}}, date = {2022-04-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor}, language = {English}, urldate = {2022-04-29} } New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-04MandiantBryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-03-24Bleeping ComputerBill Toulas
@online{toulas:20220324:malicious:560c659, author = {Bill Toulas}, title = {{Malicious Microsoft Excel add-ins used to deliver RAT malware}}, date = {2022-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/}, language = {English}, urldate = {2022-03-25} } Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader
2022-03-23MorphisecHido Cohen
@online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } New JSSLoader Trojan Delivered Through XLL Files
JSSLoader
2022-03-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220308:excel:0f4e5c9, author = {Counter Threat Unit ResearchTeam}, title = {{Excel Add-ins Deliver JSSLoader Malware}}, date = {2022-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware}, language = {English}, urldate = {2022-03-22} } Excel Add-ins Deliver JSSLoader Malware
JSSLoader
2021-11-11splunkSplunk Threat Research Team
@online{team:20211111:fin7:cd0d233, author = {Splunk Threat Research Team}, title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}}, date = {2021-11-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html}, language = {English}, urldate = {2021-11-12} } FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-24ProofpointDennis Schwarz, Matthew Mesa, Crista Giering
@online{schwarz:20210624:jssloader:ab99f14, author = {Dennis Schwarz and Matthew Mesa and Crista Giering}, title = {{JSSLoader: Recoded and Reloaded}}, date = {2021-06-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded}, language = {English}, urldate = {2021-06-25} } JSSLoader: Recoded and Reloaded
JSSLoader
2021-01-04MorphisecArnold Osipov
@techreport{osipov:20210104:threat:b875307, author = {Arnold Osipov}, title = {{Threat Profile the Evolution of the FIN7 JSSLoader}}, date = {2021-01-04}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf}, language = {English}, urldate = {2021-01-05} } Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader
Yara Rules
[TLP:WHITE] win_jssloader_auto (20230125 | Detects win.jssloader.)
rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c78564ffffff00000000 c68568ffffff00 e8???????? 8d859cfeffff }
            // n = 4, score = 200
            //   c78564ffffff00000000     | mov    dword ptr [ebp - 0x9c], 0
            //   c68568ffffff00       | mov                 byte ptr [ebp - 0x98], 0
            //   e8????????           |                     
            //   8d859cfeffff         | lea                 eax, [ebp - 0x164]

        $sequence_1 = { 50 8b45e0 8b08 e8???????? 84c0 c645fc00 8b55cc }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8b45e0               | mov                 eax, dword ptr [ebp - 0x20]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   c645fc00             | mov                 byte ptr [ebp - 4], 0
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]

        $sequence_2 = { 8b7dc0 8b45b0 0f43d7 8b75ac 2bc6 }
            // n = 5, score = 200
            //   8b7dc0               | mov                 edi, dword ptr [ebp - 0x40]
            //   8b45b0               | mov                 eax, dword ptr [ebp - 0x50]
            //   0f43d7               | cmovae              edx, edi
            //   8b75ac               | mov                 esi, dword ptr [ebp - 0x54]
            //   2bc6                 | sub                 eax, esi

        $sequence_3 = { 8bcf 83e73f c1f906 6bd738 8b0c8d701d4400 }
            // n = 5, score = 200
            //   8bcf                 | mov                 ecx, edi
            //   83e73f               | and                 edi, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bd738               | imul                edx, edi, 0x38
            //   8b0c8d701d4400       | mov                 ecx, dword ptr [ecx*4 + 0x441d70]

        $sequence_4 = { 8b85f8feffff c745d000000000 c745d40f000000 c645c000 8b4004 c78405f8feffffa8be4300 8b85f8feffff }
            // n = 7, score = 200
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c745d40f000000       | mov                 dword ptr [ebp - 0x2c], 0xf
            //   c645c000             | mov                 byte ptr [ebp - 0x40], 0
            //   8b4004               | mov                 eax, dword ptr [eax + 4]
            //   c78405f8feffffa8be4300     | mov    dword ptr [ebp + eax - 0x108], 0x43bea8
            //   8b85f8feffff         | mov                 eax, dword ptr [ebp - 0x108]

        $sequence_5 = { 50 8d4dd4 e8???????? 8985b8feffff beffffff7f c645fc0e 8b55cc }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   e8????????           |                     
            //   8985b8feffff         | mov                 dword ptr [ebp - 0x148], eax
            //   beffffff7f           | mov                 esi, 0x7fffffff
            //   c645fc0e             | mov                 byte ptr [ebp - 4], 0xe
            //   8b55cc               | mov                 edx, dword ptr [ebp - 0x34]

        $sequence_6 = { 7408 40 83f81d 7cf1 eb07 8b0cc57c3f4300 894de4 }
            // n = 7, score = 200
            //   7408                 | je                  0xa
            //   40                   | inc                 eax
            //   83f81d               | cmp                 eax, 0x1d
            //   7cf1                 | jl                  0xfffffff3
            //   eb07                 | jmp                 9
            //   8b0cc57c3f4300       | mov                 ecx, dword ptr [eax*8 + 0x433f7c]
            //   894de4               | mov                 dword ptr [ebp - 0x1c], ecx

        $sequence_7 = { 83f810 7231 8b953cffffff 8d4801 8bc2 }
            // n = 5, score = 200
            //   83f810               | cmp                 eax, 0x10
            //   7231                 | jb                  0x33
            //   8b953cffffff         | mov                 edx, dword ptr [ebp - 0xc4]
            //   8d4801               | lea                 ecx, [eax + 1]
            //   8bc2                 | mov                 eax, edx

        $sequence_8 = { e8???????? 8be5 5d c20c00 8b854cfeffff 8d4804 }
            // n = 6, score = 200
            //   e8????????           |                     
            //   8be5                 | mov                 esp, ebp
            //   5d                   | pop                 ebp
            //   c20c00               | ret                 0xc
            //   8b854cfeffff         | mov                 eax, dword ptr [ebp - 0x1b4]
            //   8d4804               | lea                 ecx, [eax + 4]

        $sequence_9 = { b8abaaaa2a 2bcf 895df0 f7e9 8b4b04 c1fa03 2bcf }
            // n = 7, score = 200
            //   b8abaaaa2a           | mov                 eax, 0x2aaaaaab
            //   2bcf                 | sub                 ecx, edi
            //   895df0               | mov                 dword ptr [ebp - 0x10], ebx
            //   f7e9                 | imul                ecx
            //   8b4b04               | mov                 ecx, dword ptr [ebx + 4]
            //   c1fa03               | sar                 edx, 3
            //   2bcf                 | sub                 ecx, edi

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules