SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jssloader (Back to overview)

JSSLoader

Actor(s): Anunak

VTCollection    

There is no description at this point.

References
2023-09-12MicrosoftMicrosoft Threat Intelligence
Malware distributor Storm-0324 facilitates ransomware access
JSSLoader Storm-0324
2022-08-15MalwarebytesThreat Intelligence Team
Threat Intelligence - JSSLoader: the shellcode edition
JSSLoader
2022-08-15MalwarebytesThreat Intelligence Team
JSSLoader: the shellcode edition
JSSLoader
2022-05-09MicrosoftMicrosoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT
2022-04-25MorphisecMorphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader
2022-04-04MandiantBrendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite
2022-03-24Bleeping ComputerBill Toulas
Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader
2022-03-23MorphisecHido Cohen
New JSSLoader Trojan Delivered Through XLL Files
JSSLoader
2022-03-08SecureworksCounter Threat Unit ResearchTeam
Excel Add-ins Deliver JSSLoader Malware
JSSLoader
2021-11-11splunkSplunk Threat Research Team
FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos
2021-11-04CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader
2021-08-30CrowdStrikeEric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil
2021-06-24ProofpointCrista Giering, Dennis Schwarz, Matthew Mesa
JSSLoader: Recoded and Reloaded
JSSLoader Storm-0324
2021-01-04MorphisecArnold Osipov
Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader
Yara Rules
[TLP:WHITE] win_jssloader_auto (20260504 | Detects win.jssloader.)
rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 83f81f 0f8703060000 51 56 e8???????? 83c408 c745d800000000 }
            // n = 7, score = 200
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8703060000         | ja                  0x609
            //   51                   | push                ecx
            //   56                   | push                esi
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   c745d800000000       | mov                 dword ptr [ebp - 0x28], 0

        $sequence_1 = { 8b4804 8d41f8 89840d70feffff 8d85dcfeffff }
            // n = 4, score = 200
            //   8b4804               | mov                 ecx, dword ptr [eax + 4]
            //   8d41f8               | lea                 eax, [ecx - 8]
            //   89840d70feffff       | mov                 dword ptr [ebp + ecx - 0x190], eax
            //   8d85dcfeffff         | lea                 eax, [ebp - 0x124]

        $sequence_2 = { 68???????? c78568fdffff00000000 c7856cfdffff0f000000 c68558fdffff00 e8???????? c645fc16 }
            // n = 6, score = 200
            //   68????????           |                     
            //   c78568fdffff00000000     | mov    dword ptr [ebp - 0x298], 0
            //   c7856cfdffff0f000000     | mov    dword ptr [ebp - 0x294], 0xf
            //   c68558fdffff00       | mov                 byte ptr [ebp - 0x2a8], 0
            //   e8????????           |                     
            //   c645fc16             | mov                 byte ptr [ebp - 4], 0x16

        $sequence_3 = { 64a300000000 8b4508 89859cfeffff 8985b8feffff }
            // n = 4, score = 200
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   89859cfeffff         | mov                 dword ptr [ebp - 0x164], eax
            //   8985b8feffff         | mov                 dword ptr [ebp - 0x148], eax

        $sequence_4 = { 8d8da0feffff c785b0feffff00000000 c785b4feffff0f000000 c685a0feffff00 e8???????? 8d85a0feffff }
            // n = 6, score = 200
            //   8d8da0feffff         | lea                 ecx, [ebp - 0x160]
            //   c785b0feffff00000000     | mov    dword ptr [ebp - 0x150], 0
            //   c785b4feffff0f000000     | mov    dword ptr [ebp - 0x14c], 0xf
            //   c685a0feffff00       | mov                 byte ptr [ebp - 0x160], 0
            //   e8????????           |                     
            //   8d85a0feffff         | lea                 eax, [ebp - 0x160]

        $sequence_5 = { 8b45fc 8b7008 8b5004 8b08 c7400800000000 c7400400000000 }
            // n = 6, score = 200
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b7008               | mov                 esi, dword ptr [eax + 8]
            //   8b5004               | mov                 edx, dword ptr [eax + 4]
            //   8b08                 | mov                 ecx, dword ptr [eax]
            //   c7400800000000       | mov                 dword ptr [eax + 8], 0
            //   c7400400000000       | mov                 dword ptr [eax + 4], 0

        $sequence_6 = { 8d8d20ffffff 6a06 68???????? c78530ffffff00000000 c78534ffffff0f000000 c68520ffffff00 e8???????? }
            // n = 7, score = 200
            //   8d8d20ffffff         | lea                 ecx, [ebp - 0xe0]
            //   6a06                 | push                6
            //   68????????           |                     
            //   c78530ffffff00000000     | mov    dword ptr [ebp - 0xd0], 0
            //   c78534ffffff0f000000     | mov    dword ptr [ebp - 0xcc], 0xf
            //   c68520ffffff00       | mov                 byte ptr [ebp - 0xe0], 0
            //   e8????????           |                     

        $sequence_7 = { 7408 8817 47 897de8 }
            // n = 4, score = 200
            //   7408                 | je                  0xa
            //   8817                 | mov                 byte ptr [edi], dl
            //   47                   | inc                 edi
            //   897de8               | mov                 dword ptr [ebp - 0x18], edi

        $sequence_8 = { 51 6a01 6a00 68???????? 52 ff15???????? 8d4b04 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   6a01                 | push                1
            //   6a00                 | push                0
            //   68????????           |                     
            //   52                   | push                edx
            //   ff15????????         |                     
            //   8d4b04               | lea                 ecx, [ebx + 4]

        $sequence_9 = { 8b04bd701d4400 834c0318ff 33c0 eb16 e8???????? c70009000000 e8???????? }
            // n = 7, score = 200
            //   8b04bd701d4400       | mov                 eax, dword ptr [edi*4 + 0x441d70]
            //   834c0318ff           | or                  dword ptr [ebx + eax + 0x18], 0xffffffff
            //   33c0                 | xor                 eax, eax
            //   eb16                 | jmp                 0x18
            //   e8????????           |                     
            //   c70009000000         | mov                 dword ptr [eax], 9
            //   e8????????           |                     

    condition:
        7 of them and filesize < 581632
}
Download all Yara Rules