SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sysjoker (Back to overview)

SysJoker

VTCollection    

Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.

References
2023-11-23Check Point ResearchCheck Point Research
Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker
SysJoker
2022-03-23vmwareSagar Daundkar, Threat Analysis Unit
SysJoker – An Analysis of a Multi-OS RAT
SysJoker SysJoker SysJoker
2022-01-11IntezerAvigayil Mechtinger, Nicole Fishbein, Ryan Robinson
New SysJoker Backdoor Targets Windows, Linux, and macOS
SysJoker SysJoker SysJoker
2022-01-11BleepingComputerBill Toulas
New SysJoker backdoor targets Windows, macOS, and Linux
SysJoker SysJoker SysJoker
Yara Rules
[TLP:WHITE] win_sysjoker_auto (20230808 | Detects win.sysjoker.)
rule win_sysjoker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-12-06"
        version = "1"
        description = "Detects win.sysjoker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker"
        malpedia_rule_date = "20231130"
        malpedia_hash = "fc8a0e9f343f6d6ded9e7df1a64dac0cc68d7351"
        malpedia_version = "20230808"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 50 e8???????? 837de400 7416 }
            // n = 4, score = 100
            //   50                   | push                eax
            //   e8????????           |                     
            //   837de400             | cmp                 dword ptr [ebp - 0x1c], 0
            //   7416                 | je                  0x18

        $sequence_1 = { c746140f000000 c60600 e8???????? c7461060000000 8d4dd4 c746146f000000 0f1005???????? }
            // n = 7, score = 100
            //   c746140f000000       | mov                 dword ptr [esi + 0x14], 0xf
            //   c60600               | mov                 byte ptr [esi], 0
            //   e8????????           |                     
            //   c7461060000000       | mov                 dword ptr [esi + 0x10], 0x60
            //   8d4dd4               | lea                 ecx, [ebp - 0x2c]
            //   c746146f000000       | mov                 dword ptr [esi + 0x14], 0x6f
            //   0f1005????????       |                     

        $sequence_2 = { ffd6 e9???????? 8bb5a8efffff 85f6 0f84ce000000 6808020000 8d85e8fdffff }
            // n = 7, score = 100
            //   ffd6                 | call                esi
            //   e9????????           |                     
            //   8bb5a8efffff         | mov                 esi, dword ptr [ebp - 0x1058]
            //   85f6                 | test                esi, esi
            //   0f84ce000000         | je                  0xd4
            //   6808020000           | push                0x208
            //   8d85e8fdffff         | lea                 eax, [ebp - 0x218]

        $sequence_3 = { 8d4dac e8???????? 8d4dc8 e8???????? 8d8d74ffffff c645fc1b e8???????? }
            // n = 7, score = 100
            //   8d4dac               | lea                 ecx, [ebp - 0x54]
            //   e8????????           |                     
            //   8d4dc8               | lea                 ecx, [ebp - 0x38]
            //   e8????????           |                     
            //   8d8d74ffffff         | lea                 ecx, [ebp - 0x8c]
            //   c645fc1b             | mov                 byte ptr [ebp - 4], 0x1b
            //   e8????????           |                     

        $sequence_4 = { 8bc2 b9ffffff7f 83c80f 3dffffff7f 0f47c1 894584 40 }
            // n = 7, score = 100
            //   8bc2                 | mov                 eax, edx
            //   b9ffffff7f           | mov                 ecx, 0x7fffffff
            //   83c80f               | or                  eax, 0xf
            //   3dffffff7f           | cmp                 eax, 0x7fffffff
            //   0f47c1               | cmova               eax, ecx
            //   894584               | mov                 dword ptr [ebp - 0x7c], eax
            //   40                   | inc                 eax

        $sequence_5 = { 7cd5 33db 395d90 7650 0f1f4000 660f1f840000000000 83bd78ffffff10 }
            // n = 7, score = 100
            //   7cd5                 | jl                  0xffffffd7
            //   33db                 | xor                 ebx, ebx
            //   395d90               | cmp                 dword ptr [ebp - 0x70], ebx
            //   7650                 | jbe                 0x52
            //   0f1f4000             | nop                 dword ptr [eax]
            //   660f1f840000000000     | nop    word ptr [eax + eax]
            //   83bd78ffffff10       | cmp                 dword ptr [ebp - 0x88], 0x10

        $sequence_6 = { 6a02 68???????? e8???????? 8b8534efffff 83c618 8b8d4cefffff 40 }
            // n = 7, score = 100
            //   6a02                 | push                2
            //   68????????           |                     
            //   e8????????           |                     
            //   8b8534efffff         | mov                 eax, dword ptr [ebp - 0x10cc]
            //   83c618               | add                 esi, 0x18
            //   8b8d4cefffff         | mov                 ecx, dword ptr [ebp - 0x10b4]
            //   40                   | inc                 eax

        $sequence_7 = { e8???????? 83c404 8b8780000000 33f6 89b534efffff }
            // n = 5, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8b8780000000         | mov                 eax, dword ptr [edi + 0x80]
            //   33f6                 | xor                 esi, esi
            //   89b534efffff         | mov                 dword ptr [ebp - 0x10cc], esi

        $sequence_8 = { 6a01 8bce e8???????? 84c0 0f84c2feffff e9???????? 8b4778 }
            // n = 7, score = 100
            //   6a01                 | push                1
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   84c0                 | test                al, al
            //   0f84c2feffff         | je                  0xfffffec8
            //   e9????????           |                     
            //   8b4778               | mov                 eax, dword ptr [edi + 0x78]

        $sequence_9 = { e8???????? 83c010 8906 51 c645fc25 8bf4 89b508fdffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c010               | add                 eax, 0x10
            //   8906                 | mov                 dword ptr [esi], eax
            //   51                   | push                ecx
            //   c645fc25             | mov                 byte ptr [ebp - 4], 0x25
            //   8bf4                 | mov                 esi, esp
            //   89b508fdffff         | mov                 dword ptr [ebp - 0x2f8], esi

    condition:
        7 of them and filesize < 832512
}
Download all Yara Rules