SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jssloader (Back to overview)

JSSLoader

Actor(s): Anunak

There is no description at this point.

References
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:jssloader:8dde76b, author = {Threat Intelligence Team}, title = {{JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition}, language = {English}, urldate = {2022-08-19} } JSSLoader: the shellcode edition
JSSLoader
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:threat:791daf7, author = {Threat Intelligence Team}, title = {{Threat Intelligence - JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni}, language = {English}, urldate = {2022-08-19} } Threat Intelligence - JSSLoader: the shellcode edition
JSSLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-25MorphisecMorphisec Labs
@online{labs:20220425:new:7b1c795, author = {Morphisec Labs}, title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}}, date = {2022-04-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor}, language = {English}, urldate = {2022-04-29} } New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-04MandiantBryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-03-24Bleeping ComputerBill Toulas
@online{toulas:20220324:malicious:560c659, author = {Bill Toulas}, title = {{Malicious Microsoft Excel add-ins used to deliver RAT malware}}, date = {2022-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/}, language = {English}, urldate = {2022-03-25} } Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader
2022-03-23MorphisecHido Cohen
@online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } New JSSLoader Trojan Delivered Through XLL Files
JSSLoader
2022-03-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220308:excel:0f4e5c9, author = {Counter Threat Unit ResearchTeam}, title = {{Excel Add-ins Deliver JSSLoader Malware}}, date = {2022-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware}, language = {English}, urldate = {2022-03-22} } Excel Add-ins Deliver JSSLoader Malware
JSSLoader
2021-11-11splunkSplunk Threat Research Team
@online{team:20211111:fin7:cd0d233, author = {Splunk Threat Research Team}, title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}}, date = {2021-11-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html}, language = {English}, urldate = {2021-11-12} } FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-24ProofpointDennis Schwarz, Matthew Mesa, Crista Giering
@online{schwarz:20210624:jssloader:ab99f14, author = {Dennis Schwarz and Matthew Mesa and Crista Giering}, title = {{JSSLoader: Recoded and Reloaded}}, date = {2021-06-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded}, language = {English}, urldate = {2021-06-25} } JSSLoader: Recoded and Reloaded
JSSLoader
2021-01-04MorphisecArnold Osipov
@techreport{osipov:20210104:threat:b875307, author = {Arnold Osipov}, title = {{Threat Profile the Evolution of the FIN7 JSSLoader}}, date = {2021-01-04}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf}, language = {English}, urldate = {2021-01-05} } Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader
Yara Rules
[TLP:WHITE] win_jssloader_auto (20230407 | Detects win.jssloader.)
rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f81f 0f8703060000 51 56 e8???????? 83c408 c745d800000000 }
            // n = 7, score = 200
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8703060000         | ja                  0x609
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0

        $sequence_1 = { 74c7 8b45f8 8bce 83e63f c1f906 6bf638 8b0c8d701d4400 }
            // n = 7, score = 200
            //   74c7                 | je                  0xffffffc9
            //   8b45f8               | mov                 eax, dword ptr [ebp - 8]
            //   8bce                 | mov                 ecx, esi
            //   83e63f               | and                 esi, 0x3f
            //   c1f906               | sar                 ecx, 6
            //   6bf638               | imul                esi, esi, 0x38
            //   8b0c8d701d4400       | mov                 ecx, dword ptr [ecx*4 + 0x441d70]

        $sequence_2 = { c70600000000 c7460400000000 c7462c00000000 c6463000 e8???????? 6a00 }
            // n = 6, score = 200
            //   c70600000000         | mov                 dword ptr [esi], 0
            //   c7460400000000       | mov                 dword ptr [esi + 4], 0
            //   c7462c00000000       | mov                 dword ptr [esi + 0x2c], 0
            //   c6463000             | mov                 byte ptr [esi + 0x30], 0
            //   e8????????           |                     
            //   6a00                 | push                0

        $sequence_3 = { 0f4395acfdffff 8bc8 e8???????? ba???????? 8bc8 e8???????? ba???????? }
            // n = 7, score = 200
            //   0f4395acfdffff       | cmovae              edx, dword ptr [ebp - 0x254]
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ba????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   ba????????           |                     

        $sequence_4 = { e8???????? 8d4da8 c645fc01 51 8bd0 8d4dd8 e8???????? }
            // n = 7, score = 200
            //   e8????????           |                     
            //   8d4da8               | lea                 ecx, [ebp - 0x58]
            //   c645fc01             | mov                 byte ptr [ebp - 4], 1
            //   51                   | push                ecx
            //   8bd0                 | mov                 edx, eax
            //   8d4dd8               | lea                 ecx, [ebp - 0x28]
            //   e8????????           |                     

        $sequence_5 = { 660fd645e4 8dbd48fbffff 8975e4 8975e8 c745ec94214400 c645fc32 }
            // n = 6, score = 200
            //   660fd645e4           | movq                qword ptr [ebp - 0x1c], xmm0
            //   8dbd48fbffff         | lea                 edi, [ebp - 0x4b8]
            //   8975e4               | mov                 dword ptr [ebp - 0x1c], esi
            //   8975e8               | mov                 dword ptr [ebp - 0x18], esi
            //   c745ec94214400       | mov                 dword ptr [ebp - 0x14], 0x442194
            //   c645fc32             | mov                 byte ptr [ebp - 4], 0x32

        $sequence_6 = { 8bff 55 8bec a1???????? 3b05???????? 0f85c1fbffff }
            // n = 6, score = 200
            //   8bff                 | mov                 edi, edi
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   a1????????           |                     
            //   3b05????????         |                     
            //   0f85c1fbffff         | jne                 0xfffffbc7

        $sequence_7 = { 83c1f4 3b4108 7407 8810 ff4104 eb07 }
            // n = 6, score = 200
            //   83c1f4               | add                 ecx, -0xc
            //   3b4108               | cmp                 eax, dword ptr [ecx + 8]
            //   7407                 | je                  9
            //   8810                 | mov                 byte ptr [eax], dl
            //   ff4104               | inc                 dword ptr [ecx + 4]
            //   eb07                 | jmp                 9

        $sequence_8 = { 0f8749020000 52 51 e8???????? 83c408 8d8d6cfcffff }
            // n = 6, score = 200
            //   0f8749020000         | ja                  0x24f
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8d8d6cfcffff         | lea                 ecx, [ebp - 0x394]

        $sequence_9 = { 8b4804 8d41f8 89840df4feffff 8d8560ffffff c645fc07 50 c78560ffffffe40e4300 }
            // n = 7, score = 200
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d41f8               | lea                 eax, [ecx - 8]
            //   89840df4feffff       | mov                 dword ptr [ebp + ecx - 0x10c], eax
            //   8d8560ffffff         | lea                 eax, [ebp - 0xa0]
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   50                   | push                eax
            //   c78560ffffffe40e4300     | mov    dword ptr [ebp - 0xa0], 0x430ee4

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules