JSSLoader (Malware Family)

JSSLoader

Actor(s): Anunak

There is no description at this point.

References

2022-05-09 ⋅ Microsoft ⋅ Microsoft 365 Defender Threat Intelligence Team, Microsoft Threat Intelligence Center (MSTIC)
Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself
AnchorDNS BlackCat BlackMatter Conti DarkSide HelloKitty Hive LockBit REvil FAKEUPDATES Griffon ATOMSILO BazarBackdoor BlackCat BlackMatter Blister Cobalt Strike Conti DarkSide Emotet FiveHands Gozi HelloKitty Hive IcedID ISFB JSSLoader LockBit LockFile Maze NightSky Pandora Phobos Phoenix Locker PhotoLoader QakBot REvil Rook Ryuk SystemBC TrickBot WastedLocker

2022-04-25 ⋅ Morphisec ⋅ Morphisec Labs
New Core Impact Backdoor Delivered Via VMware Vulnerability
Cobalt Strike JSSLoader

2022-04-04 ⋅ Mandiant ⋅ Bryce Abdo, Zander Work, Ioana Teaca, Brendan McKeague
FIN7 Power Hour: Adversary Archaeology and the Evolution of FIN7
Griffon POWERPLANT POWERTRASH BOATLAUNCH Cobalt Strike JSSLoader

2022-03-24 ⋅ Bleeping Computer ⋅ Bill Toulas
Malicious Microsoft Excel add-ins used to deliver RAT malware
JSSLoader

2022-03-23 ⋅ Morphisec ⋅ Hido Cohen
New JSSLoader Trojan Delivered Through XLL Files
JSSLoader

2022-03-08 ⋅ Secureworks ⋅ Counter Threat Unit ResearchTeam
Excel Add-ins Deliver JSSLoader Malware
JSSLoader

2021-11-11 ⋅ splunk ⋅ Splunk Threat Research Team
FIN7 Tools Resurface in the Field – Splinter or Copycat?
JSSLoader Remcos

2021-11-04 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 2
BlackMatter Griffon BlackMatter DarkSide HiddenTear JSSLoader

2021-08-30 ⋅ CrowdStrike ⋅ Eric Loui, Josh Reynolds
CARBON SPIDER Embraces Big Game Hunting, Part 1
Bateleur Griffon Carbanak DarkSide JSSLoader PILLOWMINT REvil

2021-06-24 ⋅ Proofpoint ⋅ Dennis Schwarz, Matthew Mesa, Crista Giering
JSSLoader: Recoded and Reloaded
JSSLoader

2021-01-04 ⋅ Morphisec ⋅ Arnold Osipov
Threat Profile the Evolution of the FIN7 JSSLoader
JSSLoader

Yara Rules

[TLP:WHITE] win_jssloader_auto (20220411 | Detects win.jssloader.)

rule win_jssloader_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-04-08"
        version = "1"
        description = "Detects win.jssloader."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader"
        malpedia_rule_date = "20220405"
        malpedia_hash = "ecd38294bd47d5589be5cd5490dc8bb4804afc2a"
        malpedia_version = "20220411"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 0f10856cfdffff c7401000000000 c6856cfdffff00 0f1100 c78594fdffff00000000 }
            // n = 5, score = 200
            //   0f10856cfdffff       | movups              xmm0, xmmword ptr [ebp - 0x294]
            //   c7401000000000       | mov                 dword ptr [eax + 0x10], 0
            //   c6856cfdffff00       | mov                 byte ptr [ebp - 0x294], 0
            //   0f1100               | movups              xmmword ptr [eax], xmm0
            //   c78594fdffff00000000     | mov    dword ptr [ebp - 0x26c], 0

        $sequence_1 = { 0f8768060000 e9???????? e8???????? 8bc8 c645fc07 8b7114 8bc6 }
            // n = 7, score = 200
            //   0f8768060000         | ja                  0x66e
            //   e9????????           |                     
            //   e8????????           |                     
            //   8bc8                 | mov                 ecx, eax
            //   c645fc07             | mov                 byte ptr [ebp - 4], 7
            //   8b7114               | mov                 esi, dword ptr [ecx + 0x14]
            //   8bc6                 | mov                 eax, esi

        $sequence_2 = { 660f289820a84300 660f2835???????? 660f59cf 660f58d1 }
            // n = 4, score = 200
            //   660f289820a84300     | movapd              xmm3, xmmword ptr [eax + 0x43a820]
            //   660f2835????????     |                     
            //   660f59cf             | mulpd               xmm1, xmm7
            //   660f58d1             | addpd               xmm2, xmm1

        $sequence_3 = { 68???????? 6a00 c785f0feffff00000000 c785f4feffff0f000000 c685e0feffff00 ff15???????? 8d4b04 }
            // n = 7, score = 200
            //   68????????           |                     
            //   6a00                 | push                0
            //   c785f0feffff00000000     | mov    dword ptr [ebp - 0x110], 0
            //   c785f4feffff0f000000     | mov    dword ptr [ebp - 0x10c], 0xf
            //   c685e0feffff00       | mov                 byte ptr [ebp - 0x120], 0
            //   ff15????????         |                     
            //   8d4b04               | lea                 ecx, dword ptr [ebx + 4]

        $sequence_4 = { 51 e8???????? 83c408 8b85bcfeffff c745ac00000000 c745b00f000000 c6459c00 }
            // n = 7, score = 200
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   8b85bcfeffff         | mov                 eax, dword ptr [ebp - 0x144]
            //   c745ac00000000       | mov                 dword ptr [ebp - 0x54], 0
            //   c745b00f000000       | mov                 dword ptr [ebp - 0x50], 0xf
            //   c6459c00             | mov                 byte ptr [ebp - 0x64], 0

        $sequence_5 = { 8d4dc0 e8???????? 8b5dd0 c645fc03 8d55c0 837dd410 8d8de8feffff }
            // n = 7, score = 200
            //   8d4dc0               | lea                 ecx, dword ptr [ebp - 0x40]
            //   e8????????           |                     
            //   8b5dd0               | mov                 ebx, dword ptr [ebp - 0x30]
            //   c645fc03             | mov                 byte ptr [ebp - 4], 3
            //   8d55c0               | lea                 edx, dword ptr [ebp - 0x40]
            //   837dd410             | cmp                 dword ptr [ebp - 0x2c], 0x10
            //   8d8de8feffff         | lea                 ecx, dword ptr [ebp - 0x118]

        $sequence_6 = { 83f81f 0f872b010000 52 51 e8???????? 83c408 837e1410 }
            // n = 7, score = 200
            //   83f81f               | cmp                 eax, 0x1f
            //   0f872b010000         | ja                  0x131
            //   52                   | push                edx
            //   51                   | push                ecx
            //   e8????????           |                     
            //   83c408               | add                 esp, 8
            //   837e1410             | cmp                 dword ptr [esi + 0x14], 0x10

        $sequence_7 = { c1fa06 8bce 83e13f 6bc938 8b0495701d4400 c644082801 8b0495701d4400 }
            // n = 7, score = 200
            //   c1fa06               | sar                 edx, 6
            //   8bce                 | mov                 ecx, esi
            //   83e13f               | and                 ecx, 0x3f
            //   6bc938               | imul                ecx, ecx, 0x38
            //   8b0495701d4400       | mov                 eax, dword ptr [edx*4 + 0x441d70]
            //   c644082801           | mov                 byte ptr [eax + ecx + 0x28], 1
            //   8b0495701d4400       | mov                 eax, dword ptr [edx*4 + 0x441d70]

        $sequence_8 = { 03f0 56 e8???????? 8b8534ffffff 83c40c 8b8d54feffff }
            // n = 6, score = 200
            //   03f0                 | add                 esi, eax
            //   56                   | push                esi
            //   e8????????           |                     
            //   8b8534ffffff         | mov                 eax, dword ptr [ebp - 0xcc]
            //   83c40c               | add                 esp, 0xc
            //   8b8d54feffff         | mov                 ecx, dword ptr [ebp - 0x1ac]

        $sequence_9 = { 57 8b7d08 eb6f 8b07 8d1c85581a4400 8b33 85f6 }
            // n = 7, score = 200
            //   57                   | push                edi
            //   8b7d08               | mov                 edi, dword ptr [ebp + 8]
            //   eb6f                 | jmp                 0x71
            //   8b07                 | mov                 eax, dword ptr [edi]
            //   8d1c85581a4400       | lea                 ebx, dword ptr [eax*4 + 0x441a58]
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   85f6                 | test                esi, esi

    condition:
        7 of them and filesize < 581632
}

Download all Yara Rules

JSSLoader Propose Change

References

Yara Rules

JSSLoader