SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jssloader (Back to overview)

JSSLoader

Actor(s): Anunak

There is no description at this point.

References
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:threat:791daf7, author = {Threat Intelligence Team}, title = {{Threat Intelligence - JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://malwarebytes.app.box.com/s/ym6r7o5hq0rx2nxjbctfv2sw5vx386ni}, language = {English}, urldate = {2022-08-19} } Threat Intelligence - JSSLoader: the shellcode edition
JSSLoader
2022-08-15MalwarebytesThreat Intelligence Team
@online{team:20220815:jssloader:8dde76b, author = {Threat Intelligence Team}, title = {{JSSLoader: the shellcode edition}}, date = {2022-08-15}, organization = {Malwarebytes}, url = {https://www.malwarebytes.com/blog/threat-intelligence/2022/08/jssloader-the-shellcode-edition}, language = {English}, urldate = {2022-08-19} } JSSLoader: the shellcode edition
JSSLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
@online{team:20220509:ransomwareasaservice:13ec472, author = {Microsoft 365 Defender Threat Intelligence Team and Microsoft Threat Intelligence Center (MSTIC)}, title = {{Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself}}, date = {2022-05-09}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself}, language = {English}, urldate = {2022-05-17} } Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-25MorphisecMorphisec Labs
@online{labs:20220425:new:7b1c795, author = {Morphisec Labs}, title = {{New Core Impact Backdoor Delivered Via VMware Vulnerability}}, date = {2022-04-25}, organization = {Morphisec}, url = {https://blog.morphisec.com/vmware-identity-manager-attack-backdoor}, language = {English}, urldate = {2022-04-29} } New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-04MandiantBryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
@online{abdo:20220404:fin7:305d62b, author = {Bryce Abdo and Zander Work and Ioana Teaca and Brendan McKeague}, title = {{FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7}}, date = {2022-04-04}, organization = {Mandiant}, url = {https://www.mandiant.com/resources/evolution-of-fin7}, language = {English}, urldate = {2022-06-27} } FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-03-24Bleeping ComputerBill Toulas
@online{toulas:20220324:malicious:560c659, author = {Bill Toulas}, title = {{Malicious Microsoft Excel add-ins used to deliver RAT malware}}, date = {2022-03-24}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/malicious-microsoft-excel-add-ins-used-to-deliver-rat-malware/}, language = {English}, urldate = {2022-03-25} } Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader
2022-03-23MorphisecHido Cohen
@online{cohen:20220323:new:7356088, author = {Hido Cohen}, title = {{New JSSLoader Trojan Delivered Through XLL Files}}, date = {2022-03-23}, organization = {Morphisec}, url = {https://blog.morphisec.com/new-jssloader-trojan-delivered-through-xll-files}, language = {English}, urldate = {2022-03-25} } New JSSLoader Trojan Delivered Through XLL Files
JSSLoader
2022-03-08SecureworksCounter Threat Unit ResearchTeam
@online{researchteam:20220308:excel:0f4e5c9, author = {Counter Threat Unit ResearchTeam}, title = {{Excel Add-ins Deliver JSSLoader Malware}}, date = {2022-03-08}, organization = {Secureworks}, url = {https://www.secureworks.com/blog/excel-add-ins-deliver-jssloader-malware}, language = {English}, urldate = {2022-03-22} } Excel Add-ins Deliver JSSLoader Malware
JSSLoader
2021-11-11splunkSplunk Threat Research Team
@online{team:20211111:fin7:cd0d233, author = {Splunk Threat Research Team}, title = {{FIN7 Tools Resurface in the Field – Splinter or Copycat?}}, date = {2021-11-11}, organization = {splunk}, url = {https://www.splunk.com/en_us/blog/security/fin7-tools-resurface-in-the-field-splinter-or-copycat.html}, language = {English}, urldate = {2021-11-12} } FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20211104:carbon:e3ef021, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 2}}, date = {2021-11-04}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-2/}, language = {English}, urldate = {2021-11-08} } CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
@online{loui:20210830:carbon:66be3f3, author = {Eric Loui and Josh Reynolds}, title = {{CARBON SPIDER Embraces Big Game Hunting, Part 1}}, date = {2021-08-30}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/}, language = {English}, urldate = {2021-08-31} } CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-24ProofpointDennis Schwarz, Matthew Mesa, Crista Giering
@online{schwarz:20210624:jssloader:ab99f14, author = {Dennis Schwarz and Matthew Mesa and Crista Giering}, title = {{JSSLoader: Recoded and Reloaded}}, date = {2021-06-24}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded}, language = {English}, urldate = {2021-06-25} } JSSLoader: Recoded and Reloaded
JSSLoader
2021-01-04MorphisecArnold Osipov
@techreport{osipov:20210104:threat:b875307, author = {Arnold Osipov}, title = {{Threat Profile the Evolution of the FIN7 JSSLoader}}, date = {2021-01-04}, institution = {Morphisec}, url = {https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf}, language = {English}, urldate = {2021-01-05} } Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader
Yara Rules
[TLP:WHITE] win_jssloader_auto (20220808 | Detects win.jssloader.)
rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-08-05"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20220805"
        malpedia_hash = "6ec06c64bcfdbeda64eff021c766b4ce34542b71"
        malpedia_version = "20220808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 8bf8 83c40c 85ff 7405 2b7dd0 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   e8????????           |                     
            //   8bf8                 | mov                 edi, eax
            //   83c40c               | add                 esp, 0xc
            //   85ff                 | test                edi, edi
            //   7405                 | je                  7
            //   2b7dd0               | sub                 edi, dword ptr [ebp - 0x30]

        $sequence_1 = { 50 ff15???????? 6a00 ff15???????? 6804010000 8d8decfeffff 51 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   ff15????????         |                     
            //   6a00                 | push                0
            //   ff15????????         |                     
            //   6804010000           | push                0x104
            //   8d8decfeffff         | lea                 ecx, [ebp - 0x114]
            //   51                   | push                ecx

        $sequence_2 = { 8bc8 e8???????? 80bd68ffffff00 7416 ffb564ffffff 8b35???????? ffd6 }
            // n = 7, score = 200
            //   8bc8                 | mov                 ecx, eax
            //   e8????????           |                     
            //   80bd68ffffff00       | cmp                 byte ptr [ebp - 0x98], 0
            //   7416                 | je                  0x18
            //   ffb564ffffff         | push                dword ptr [ebp - 0x9c]
            //   8b35????????         |                     
            //   ffd6                 | call                esi

        $sequence_3 = { 8b4508 b900010000 663bc1 7320 0fb6c8 f6044dea2c430001 740e }
            // n = 7, score = 200
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   b900010000           | mov                 ecx, 0x100
            //   663bc1               | cmp                 ax, cx
            //   7320                 | jae                 0x22
            //   0fb6c8               | movzx               ecx, al
            //   f6044dea2c430001     | test                byte ptr [ecx*2 + 0x432cea], 1
            //   740e                 | je                  0x10

        $sequence_4 = { 754c 56 e8???????? ffb524ffffff e8???????? 8bf0 }
            // n = 6, score = 200
            //   754c                 | jne                 0x4e
            //   56                   | push                esi
            //   e8????????           |                     
            //   ffb524ffffff         | push                dword ptr [ebp - 0xdc]
            //   e8????????           |                     
            //   8bf0                 | mov                 esi, eax

        $sequence_5 = { 8d8d9cfeffff 6a04 68???????? c785acfeffff00000000 c785b0feffff0f000000 c6859cfeffff00 }
            // n = 6, score = 200
            //   8d8d9cfeffff         | lea                 ecx, [ebp - 0x164]
            //   6a04                 | push                4
            //   68????????           |                     
            //   c785acfeffff00000000     | mov    dword ptr [ebp - 0x154], 0
            //   c785b0feffff0f000000     | mov    dword ptr [ebp - 0x150], 0xf
            //   c6859cfeffff00       | mov                 byte ptr [ebp - 0x164], 0

        $sequence_6 = { c745ec0f000000 c645d800 c645fc04 807d8c00 7539 8b55a0 85d2 }
            // n = 7, score = 200
            //   c745ec0f000000       | mov                 dword ptr [ebp - 0x14], 0xf
            //   c645d800             | mov                 byte ptr [ebp - 0x28], 0
            //   c645fc04             | mov                 byte ptr [ebp - 4], 4
            //   807d8c00             | cmp                 byte ptr [ebp - 0x74], 0
            //   7539                 | jne                 0x3b
            //   8b55a0               | mov                 edx, dword ptr [ebp - 0x60]
            //   85d2                 | test                edx, edx

        $sequence_7 = { 50 8d45f4 64a300000000 8b450c 8b7508 8975bc c745d000000000 }
            // n = 7, score = 200
            //   50                   | push                eax
            //   8d45f4               | lea                 eax, [ebp - 0xc]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8975bc               | mov                 dword ptr [ebp - 0x44], esi
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0

        $sequence_8 = { 394138 0f94c0 8d048502000000 0b410c 50 e8???????? 6a09 }
            // n = 7, score = 200
            //   394138               | cmp                 dword ptr [ecx + 0x38], eax
            //   0f94c0               | sete                al
            //   8d048502000000       | lea                 eax, [eax*4 + 2]
            //   0b410c               | or                  eax, dword ptr [ecx + 0xc]
            //   50                   | push                eax
            //   e8????????           |                     
            //   6a09                 | push                9

        $sequence_9 = { 3bc8 7725 837db010 8d040e 8945ac 8d459c 0f43459c }
            // n = 7, score = 200
            //   3bc8                 | cmp                 ecx, eax
            //   7725                 | ja                  0x27
            //   837db010             | cmp                 dword ptr [ebp - 0x50], 0x10
            //   8d040e               | lea                 eax, [esi + ecx]
            //   8945ac               | mov                 dword ptr [ebp - 0x54], eax
            //   8d459c               | lea                 eax, [ebp - 0x64]
            //   0f43459c             | cmovae              eax, dword ptr [ebp - 0x64]

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules