SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sysjoker (Back to overview)

SysJoker

Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.

References
2022-03-23vmwareSagar Daundkar, Threat Analysis Unit
@online{daundkar:20220323:sysjoker:d8a1ba0, author = {Sagar Daundkar and Threat Analysis Unit}, title = {{SysJoker – An Analysis of a Multi-OS RAT}}, date = {2022-03-23}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html}, language = {English}, urldate = {2022-04-04} } SysJoker – An Analysis of a Multi-OS RAT
SysJoker SysJoker SysJoker
2022-01-11BleepingComputerBill Toulas
@online{toulas:20220111:new:b66f357, author = {Bill Toulas}, title = {{New SysJoker backdoor targets Windows, macOS, and Linux}}, date = {2022-01-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/}, language = {English}, urldate = {2022-02-04} } New SysJoker backdoor targets Windows, macOS, and Linux
SysJoker SysJoker SysJoker
2022-01-11IntezerAvigayil Mechtinger, Ryan Robinson, Nicole Fishbein
@online{mechtinger:20220111:new:09e24da, author = {Avigayil Mechtinger and Ryan Robinson and Nicole Fishbein}, title = {{New SysJoker Backdoor Targets Windows, Linux, and macOS}}, date = {2022-01-11}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/}, language = {English}, urldate = {2022-01-13} } New SysJoker Backdoor Targets Windows, Linux, and macOS
SysJoker SysJoker SysJoker
Yara Rules
[TLP:WHITE] win_sysjoker_auto (20230715 | Detects win.sysjoker.)
rule win_sysjoker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-07-11"
        version = "1"
        description = "Detects win.sysjoker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker"
        malpedia_rule_date = "20230705"
        malpedia_hash = "42d0574f4405bd7d2b154d321d345acb18834a41"
        malpedia_version = "20230715"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { c645fc08 e8???????? 8d4584 c7458090a34400 50 e8???????? 83c404 }
            // n = 7, score = 100
            //   c645fc08             | mov                 byte ptr [ebp - 4], 8
            //   e8????????           |                     
            //   8d4584               | lea                 eax, [ebp - 0x7c]
            //   c7458090a34400       | mov                 dword ptr [ebp - 0x80], 0x44a390
            //   50                   | push                eax
            //   e8????????           |                     
            //   83c404               | add                 esp, 4

        $sequence_1 = { 3def000000 7537 8bce e8???????? 3dbb000000 750e 8bce }
            // n = 7, score = 100
            //   3def000000           | cmp                 eax, 0xef
            //   7537                 | jne                 0x39
            //   8bce                 | mov                 ecx, esi
            //   e8????????           |                     
            //   3dbb000000           | cmp                 eax, 0xbb
            //   750e                 | jne                 0x10
            //   8bce                 | mov                 ecx, esi

        $sequence_2 = { e8???????? 51 8d45b8 c645fc1f 8bcc ba???????? 50 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   51                   | push                ecx
            //   8d45b8               | lea                 eax, [ebp - 0x48]
            //   c645fc1f             | mov                 byte ptr [ebp - 4], 0x1f
            //   8bcc                 | mov                 ecx, esp
            //   ba????????           |                     
            //   50                   | push                eax

        $sequence_3 = { 7214 8b49fc 83c223 2bc1 83c0fc 83f81f 0f8785080000 }
            // n = 7, score = 100
            //   7214                 | jb                  0x16
            //   8b49fc               | mov                 ecx, dword ptr [ecx - 4]
            //   83c223               | add                 edx, 0x23
            //   2bc1                 | sub                 eax, ecx
            //   83c0fc               | add                 eax, -4
            //   83f81f               | cmp                 eax, 0x1f
            //   0f8785080000         | ja                  0x88b

        $sequence_4 = { c20c00 6816020780 e8???????? e8???????? 6805400080 e8???????? 6857000780 }
            // n = 7, score = 100
            //   c20c00               | ret                 0xc
            //   6816020780           | push                0x80070216
            //   e8????????           |                     
            //   e8????????           |                     
            //   6805400080           | push                0x80004005
            //   e8????????           |                     
            //   6857000780           | push                0x80070057

        $sequence_5 = { 8b55b4 880411 8bc6 8b7594 40 42 33c9 }
            // n = 7, score = 100
            //   8b55b4               | mov                 edx, dword ptr [ebp - 0x4c]
            //   880411               | mov                 byte ptr [ecx + edx], al
            //   8bc6                 | mov                 eax, esi
            //   8b7594               | mov                 esi, dword ptr [ebp - 0x6c]
            //   40                   | inc                 eax
            //   42                   | inc                 edx
            //   33c9                 | xor                 ecx, ecx

        $sequence_6 = { 88440f2b 83fa03 7511 8b45fc 8b0c85c0fc4500 8a06 46 }
            // n = 7, score = 100
            //   88440f2b             | mov                 byte ptr [edi + ecx + 0x2b], al
            //   83fa03               | cmp                 edx, 3
            //   7511                 | jne                 0x13
            //   8b45fc               | mov                 eax, dword ptr [ebp - 4]
            //   8b0c85c0fc4500       | mov                 ecx, dword ptr [eax*4 + 0x45fcc0]
            //   8a06                 | mov                 al, byte ptr [esi]
            //   46                   | inc                 esi

        $sequence_7 = { 8d5110 c70200000000 c741140f000000 c60100 83791410 0f93c0 }
            // n = 6, score = 100
            //   8d5110               | lea                 edx, [ecx + 0x10]
            //   c70200000000         | mov                 dword ptr [edx], 0
            //   c741140f000000       | mov                 dword ptr [ecx + 0x14], 0xf
            //   c60100               | mov                 byte ptr [ecx], 0
            //   83791410             | cmp                 dword ptr [ecx + 0x14], 0x10
            //   0f93c0               | setae               al

        $sequence_8 = { e8???????? 8d8d74ffffff e8???????? 8d4d84 e8???????? c645fc17 8bc7 }
            // n = 7, score = 100
            //   e8????????           |                     
            //   8d8d74ffffff         | lea                 ecx, [ebp - 0x8c]
            //   e8????????           |                     
            //   8d4d84               | lea                 ecx, [ebp - 0x7c]
            //   e8????????           |                     
            //   c645fc17             | mov                 byte ptr [ebp - 4], 0x17
            //   8bc7                 | mov                 eax, edi

        $sequence_9 = { e8???????? 83c404 8d8540fcffff 68???????? 50 e8???????? 68???????? }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d8540fcffff         | lea                 eax, [ebp - 0x3c0]
            //   68????????           |                     
            //   50                   | push                eax
            //   e8????????           |                     
            //   68????????           |                     

    condition:
        7 of them and filesize < 832512
}
Download all Yara Rules