SYMBOLCOMMON_NAMEaka. SYNONYMS
win.jupiter (Back to overview)

Jupiter

aka: EarlyRAT

Actor(s): Silent Chollima


There is no description at this point.

References
2023-06-28Kaspersky LabsGReAT
@online{great:20230628:andariels:21f9242, author = {GReAT}, title = {{Andariel’s silly mistakes and a new malware family}}, date = {2023-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/lazarus-andariel-mistakes-and-easyrat/110119/}, language = {English}, urldate = {2023-07-11} } Andariel’s silly mistakes and a new malware family
Jupiter
2023-05-17Medium (@DCSO_CyTec)Johann Aydinbas, Emilia Neuber, Kritika Roy, Axel Wauer, Jiro Minier
@online{aydinbas:20230517:andariels:517dbe2, author = {Johann Aydinbas and Emilia Neuber and Kritika Roy and Axel Wauer and Jiro Minier}, title = {{Andariel’s “Jupiter” malware and the case of the curious C2}}, date = {2023-05-17}, organization = {Medium (@DCSO_CyTec)}, url = {https://medium.com/@DCSO_CyTec/andariels-jupiter-malware-and-the-case-of-the-curious-c2-dbfe29f57499}, language = {English}, urldate = {2023-05-21} } Andariel’s “Jupiter” malware and the case of the curious C2
Jupiter
Yara Rules
[TLP:WHITE] win_jupiter_auto (20230715 | Detects win.jupiter.)
rule win_jupiter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.jupiter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.jupiter"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 448d4b01 4c89742438 4c89742430 33d2 33c9 4489742428 4c89742420 }
            // n = 7, score = 100
            //   448d4b01             | dec                 eax
            //   4c89742438           | mov                 dword ptr [esp + 0x90], eax
            //   4c89742430           | dec                 eax
            //   33d2                 | mov                 eax, dword ptr [esp + 0x140]
            //   33c9                 | dec                 ebp
            //   4489742428           | mov                 ebx, eax
            //   4c89742420           | dec                 eax

        $sequence_1 = { 4883ec10 e8???????? 4883c410 488b542478 }
            // n = 4, score = 100
            //   4883ec10             | mov                 eax, dword ptr [ebx]
            //   e8????????           |                     
            //   4883c410             | dec                 eax
            //   488b542478           | add                 ebx, ebp

        $sequence_2 = { 4883ec28 4c8b05???????? 33d2 488b0d???????? ff15???????? 488b0d???????? }
            // n = 6, score = 100
            //   4883ec28             | dec                 ebp
            //   4c8b05????????       |                     
            //   33d2                 | arpl                sp, cx
            //   488b0d????????       |                     
            //   ff15????????         |                     
            //   488b0d????????       |                     

        $sequence_3 = { 4883ec20 e8???????? 4883c428 e9???????? 48ba2800014001000000 488d0debf50000 4883ec28 }
            // n = 7, score = 100
            //   4883ec20             | dec                 ecx
            //   e8????????           |                     
            //   4883c428             | mov                 edi, eax
            //   e9????????           |                     
            //   48ba2800014001000000     | dec    ecx
            //   488d0debf50000       | inc                 esi
            //   4883ec28             | dec                 ebp

        $sequence_4 = { 7c40 498b08 4885c9 7408 498b4008 48894108 }
            // n = 6, score = 100
            //   7c40                 | dec                 eax
            //   498b08               | add                 esp, 0x28
            //   4885c9               | dec                 eax
            //   7408                 | mov                 ecx, dword ptr [esp + 0x38]
            //   498b4008             | dec                 eax
            //   48894108             | add                 esp, 0x28

        $sequence_5 = { 41394020 7560 4183781801 498b08 751a 4885c9 }
            // n = 6, score = 100
            //   41394020             | arpl                bx, dx
            //   7560                 | dec                 esp
            //   4183781801           | mov                 eax, eax
            //   498b08               | mov                 edx, edi
            //   751a                 | dec                 ecx
            //   4885c9               | mov                 ecx, edi

        $sequence_6 = { 48896f20 48897748 e8???????? 4885c0 7404 834f4402 }
            // n = 6, score = 100
            //   48896f20             | add                 esp, 0x38
            //   48897748             | ret                 
            //   e8????????           |                     
            //   4885c0               | dec                 eax
            //   7404                 | sub                 esp, 0x38
            //   834f4402             | and                 dword ptr [esp + 0x28], 0

        $sequence_7 = { 480bdb 0f1f440000 48ffc3 6644393c59 75f6 418bd1 }
            // n = 6, score = 100
            //   480bdb               | pop                 edx
            //   0f1f440000           | dec                 esp
            //   48ffc3               | mov                 edi, dword ptr [esp + 0x40]
            //   6644393c59           | dec                 ecx
            //   75f6                 | inc                 edi
            //   418bd1               | pop                 ecx

        $sequence_8 = { 5a 4883ec28 e8???????? 4883c428 ff35???????? 488b15???????? }
            // n = 6, score = 100
            //   5a                   | mov                 ecx, dword ptr [ebx]
            //   4883ec28             | dec                 eax
            //   e8????????           |                     
            //   4883c428             | add                 ebx, ebp
            //   ff35????????         |                     
            //   488b15????????       |                     

        $sequence_9 = { 488d4c2448 5a e8???????? 6801000000 ff742440 59 5a }
            // n = 7, score = 100
            //   488d4c2448           | and                 dword ptr [eax + 8], 0
            //   5a                   | jne                 0x479
            //   e8????????           |                     
            //   6801000000           | dec                 eax
            //   ff742440             | lea                 edx, [ebp - 0x60]
            //   59                   | dec                 eax
            //   5a                   | mov                 ecx, ebx

    condition:
        7 of them and filesize < 157696
}
Download all Yara Rules