JSSLoader (Malware Family)

JSSLoader

Actor(s): Anunak

VTCollection

There is no description at this point.

References

2023-09-12 ⋅ Microsoft ⋅ Microsoft Threat Intelligence
Malware distributor Storm-0324 facilitates ransomware access
JSSLoader Storm-0324

2022-08-15 ⋅ Malwarebytes ⋅ Threat Intelligence Team
Threat Intelligence - JSSLoader: the shellcode edition
JSSLoader

2022-08-15 ⋅ Malwarebytes ⋅ Threat Intelligence Team
JSSLoader: the shellcode edition
JSSLoader

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker BRONZE STARLIGHT

2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader

2022-04-04 ⋅ Mandiant ⋅ Brendan McKeague, Bryce Abdo, Ioana Teaca, Zander Work
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon BABYMETAL Carbanak Cobalt Strike JSSLoader Termite

2022-03-24 ⋅ Bleeping Computer ⋅ Bill Toulas
Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader

2022-03-23 ⋅ Morphisec ⋅ Hido Cohen
New JSSLoader Trojan Delivered Through XLL Files
JSSLoader

2022-03-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Excel Add-ins Deliver JSSLoader Malware
JSSLoader

2021-11-11 ⋅ splunk ⋅ Splunk Threat Research Team
FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos

2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader

2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil

2021-06-24 ⋅ Proofpoint ⋅ Crista Giering, Dennis Schwarz, Matthew Mesa
JSSLoader: Recoded and Reloaded
JSSLoader Storm-0324

2021-01-04 ⋅ Morphisec ⋅ Arnold Osipov
Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader

Yara Rules

[TLP:WHITE] win_jssloader_auto (20230808 | Detects win.jssloader.)

rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 89b5e0fbffff 660fd685e4fbffff 89b5ecfbffff 89b5e4fbffff 89b5e8fbffff 89b5ecfbffff }
            // n = 6, score = 200
            //   89b5e0fbffff         | mov                 dword ptr [ebp - 0x420], esi
            //   660fd685e4fbffff     | movq                qword ptr [ebp - 0x41c], xmm0
            //   89b5ecfbffff         | mov                 dword ptr [ebp - 0x414], esi
            //   89b5e4fbffff         | mov                 dword ptr [ebp - 0x41c], esi
            //   89b5e8fbffff         | mov                 dword ptr [ebp - 0x418], esi
            //   89b5ecfbffff         | mov                 dword ptr [ebp - 0x414], esi

        $sequence_1 = { 0f4345b4 50 ff15???????? 8bf0 89b5c0fdffff 83feff 0f84b9020000 }
            // n = 7, score = 200
            //   0f4345b4             | cmovae              eax, dword ptr [ebp - 0x4c]
            //   50                   | push                eax
            //   ff15????????         |                     
            //   8bf0                 | mov                 esi, eax
            //   89b5c0fdffff         | mov                 dword ptr [ebp - 0x240], esi
            //   83feff               | cmp                 esi, -1
            //   0f84b9020000         | je                  0x2bf

        $sequence_2 = { 8945fc 56 8b7508 8d85fcfeffff 6800010000 6a00 50 }
            // n = 7, score = 200
            //   8945fc               | mov                 dword ptr [ebp - 4], eax
            //   56                   | push                esi
            //   8b7508               | mov                 esi, dword ptr [ebp + 8]
            //   8d85fcfeffff         | lea                 eax, [ebp - 0x104]
            //   6800010000           | push                0x100
            //   6a00                 | push                0
            //   50                   | push                eax

        $sequence_3 = { 899d0cffffff 6a04 68???????? c745d000000000 c745d40f000000 c645c000 e8???????? }
            // n = 7, score = 200
            //   899d0cffffff         | mov                 dword ptr [ebp - 0xf4], ebx
            //   6a04                 | push                4
            //   68????????           |                     
            //   c745d000000000       | mov                 dword ptr [ebp - 0x30], 0
            //   c745d40f000000       | mov                 dword ptr [ebp - 0x2c], 0xf
            //   c645c000             | mov                 byte ptr [ebp - 0x40], 0
            //   e8????????           |                     

        $sequence_4 = { 2bc6 83c0fc 83f81f 0f8797010000 e9???????? 8b854cfeffff 8d4804 }
            // n = 7, score = 200
            //   2bc6                 | sub                 eax, esi
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8797010000         | ja                  0x19d
            //   e9????????           |                     
            //   8b854cfeffff         | mov                 eax, dword ptr [ebp - 0x1b4]
            //   8d4804               | lea                 ecx, [eax + 4]

        $sequence_5 = { 51 ffb570feffff 8d4dcc e8???????? c645fc0b 8b55e0 8bc2 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   ffb570feffff         | push                dword ptr [ebp - 0x190]
            //   8d4dcc               | lea                 ecx, [ebp - 0x34]
            //   e8????????           |                     
            //   c645fc0b             | mov                 byte ptr [ebp - 4], 0xb
            //   8b55e0               | mov                 edx, dword ptr [ebp - 0x20]
            //   8bc2                 | mov                 eax, edx

        $sequence_6 = { 3b85ecfbffff 740a 8808 ff85e8fbffff }
            // n = 4, score = 200
            //   3b85ecfbffff         | cmp                 eax, dword ptr [ebp - 0x414]
            //   740a                 | je                  0xc
            //   8808                 | mov                 byte ptr [eax], cl
            //   ff85e8fbffff         | inc                 dword ptr [ebp - 0x418]

        $sequence_7 = { 8bc1 83e13f c1f806 6bc938 8b0485701d4400 80640828fe ff33 }
            // n = 7, score = 200
            //   8bc1                 | mov                 eax, ecx
            //   83e13f               | and                 ecx, 0x3f
            //   c1f806               | sar                 eax, 6
            //   6bc938               | imul                ecx, ecx, 0x38
            //   8b0485701d4400       | mov                 eax, dword ptr [eax*4 + 0x441d70]
            //   80640828fe           | and                 byte ptr [eax + ecx + 0x28], 0xfe
            //   ff33                 | push                dword ptr [ebx]

        $sequence_8 = { 03f0 56 e8???????? 8b8534ffffff 83c40c 8b8d54feffff }
            // n = 6, score = 200
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b8534ffffff         | mov                 eax, dword ptr [ebp - 0xcc]
            //   83c40c               | add                 esp, 0xc
            //   8b8d54feffff         | mov                 ecx, dword ptr [ebp - 0x1ac]

        $sequence_9 = { 03f0 56 e8???????? 8b854cffffff 83c40c c6043000 8bb568feffff }
            // n = 7, score = 200
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b854cffffff         | mov                 eax, dword ptr [ebp - 0xb4]
            //   83c40c               | add                 esp, 0xc
            //   c6043000             | mov                 byte ptr [eax + esi], 0
            //   8bb568feffff         | mov                 esi, dword ptr [ebp - 0x198]

    condition:
        7 of them and filesize < 581632
}

Download all Yara Rules

JSSLoader Propose Change

References

Yara Rules

JSSLoader