SYMBOLCOMMON_NAMEaka. SYNONYMS
win.sysjoker (Back to overview)

SysJoker


Sysjoker is a backdoor malware that was first discovered in December 2021 by Intezer. It is sophisticated and written from scratch in C++. Sysjoker is a cross-platform malware that has Linux, Windows, and macOS variants. Possible attack vectors for Sysjoker are email attachments, malicious advertisements, and trojanized software.

References
2022-03-23vmwareSagar Daundkar, Threat Analysis Unit
@online{daundkar:20220323:sysjoker:d8a1ba0, author = {Sagar Daundkar and Threat Analysis Unit}, title = {{SysJoker – An Analysis of a Multi-OS RAT}}, date = {2022-03-23}, organization = {vmware}, url = {https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html}, language = {English}, urldate = {2022-04-04} } SysJoker – An Analysis of a Multi-OS RAT
SysJoker SysJoker SysJoker
2022-01-11BleepingComputerBill Toulas
@online{toulas:20220111:new:b66f357, author = {Bill Toulas}, title = {{New SysJoker backdoor targets Windows, macOS, and Linux}}, date = {2022-01-11}, organization = {BleepingComputer}, url = {https://www.bleepingcomputer.com/news/security/new-sysjoker-backdoor-targets-windows-macos-and-linux/}, language = {English}, urldate = {2022-02-04} } New SysJoker backdoor targets Windows, macOS, and Linux
SysJoker SysJoker SysJoker
2022-01-11IntezerAvigayil Mechtinger, Ryan Robinson, Nicole Fishbein
@online{mechtinger:20220111:new:09e24da, author = {Avigayil Mechtinger and Ryan Robinson and Nicole Fishbein}, title = {{New SysJoker Backdoor Targets Windows, Linux, and macOS}}, date = {2022-01-11}, organization = {Intezer}, url = {https://www.intezer.com/blog/malware-analysis/new-backdoor-sysjoker/}, language = {English}, urldate = {2022-01-13} } New SysJoker Backdoor Targets Windows, Linux, and macOS
SysJoker SysJoker SysJoker
Yara Rules
[TLP:WHITE] win_sysjoker_auto (20230125 | Detects win.sysjoker.)
rule win_sysjoker_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-01-25"
        version = "1"
        description = "Detects win.sysjoker."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.sysjoker"
        malpedia_rule_date = "20230124"
        malpedia_hash = "2ee0eebba83dce3d019a90519f2f972c0fcf9686"
        malpedia_version = "20230125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff10 85c0 0f8480060000 8d7010 89b5b0fdffff 85db 0f88a1060000 }
            // n = 7, score = 100
            //   ff10                 | call                dword ptr [eax]
            //   85c0                 | test                eax, eax
            //   0f8480060000         | je                  0x686
            //   8d7010               | lea                 esi, [eax + 0x10]
            //   89b5b0fdffff         | mov                 dword ptr [ebp - 0x250], esi
            //   85db                 | test                ebx, ebx
            //   0f88a1060000         | js                  0x6a7

        $sequence_1 = { 3bc2 7317 e8???????? c70022000000 e8???????? b822000000 eb10 }
            // n = 7, score = 100
            //   3bc2                 | cmp                 eax, edx
            //   7317                 | jae                 0x19
            //   e8????????           |                     
            //   c70022000000         | mov                 dword ptr [eax], 0x22
            //   e8????????           |                     
            //   b822000000           | mov                 eax, 0x22
            //   eb10                 | jmp                 0x12

        $sequence_2 = { 8b45e4 83c40c 897dac 8945a8 8d4598 c645fc05 50 }
            // n = 7, score = 100
            //   8b45e4               | mov                 eax, dword ptr [ebp - 0x1c]
            //   83c40c               | add                 esp, 0xc
            //   897dac               | mov                 dword ptr [ebp - 0x54], edi
            //   8945a8               | mov                 dword ptr [ebp - 0x58], eax
            //   8d4598               | lea                 eax, [ebp - 0x68]
            //   c645fc05             | mov                 byte ptr [ebp - 4], 5
            //   50                   | push                eax

        $sequence_3 = { 837e1408 8bc6 7202 8b06 66837c50fe3b 740e 6a01 }
            // n = 7, score = 100
            //   837e1408             | cmp                 dword ptr [esi + 0x14], 8
            //   8bc6                 | mov                 eax, esi
            //   7202                 | jb                  4
            //   8b06                 | mov                 eax, dword ptr [esi]
            //   66837c50fe3b         | cmp                 word ptr [eax + edx*2 - 2], 0x3b
            //   740e                 | je                  0x10
            //   6a01                 | push                1

        $sequence_4 = { 85c9 0f841b040000 8b01 ff500c 838d90fdffff04 8d7010 8b47f4 }
            // n = 7, score = 100
            //   85c9                 | test                ecx, ecx
            //   0f841b040000         | je                  0x421
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff500c               | call                dword ptr [eax + 0xc]
            //   838d90fdffff04       | or                  dword ptr [ebp - 0x270], 4
            //   8d7010               | lea                 esi, [eax + 0x10]
            //   8b47f4               | mov                 eax, dword ptr [edi - 0xc]

        $sequence_5 = { c645fc2b 50 8d55ac 8d4db4 e8???????? 83c404 8d4da8 }
            // n = 7, score = 100
            //   c645fc2b             | mov                 byte ptr [ebp - 4], 0x2b
            //   50                   | push                eax
            //   8d55ac               | lea                 edx, [ebp - 0x54]
            //   8d4db4               | lea                 ecx, [ebp - 0x4c]
            //   e8????????           |                     
            //   83c404               | add                 esp, 4
            //   8d4da8               | lea                 ecx, [ebp - 0x58]

        $sequence_6 = { d3e0 85d0 0f8475faffff 8b4dfc 83c605 83c102 894dfc }
            // n = 7, score = 100
            //   d3e0                 | shl                 eax, cl
            //   85d0                 | test                eax, edx
            //   0f8475faffff         | je                  0xfffffa7b
            //   8b4dfc               | mov                 ecx, dword ptr [ebp - 4]
            //   83c605               | add                 esi, 5
            //   83c102               | add                 ecx, 2
            //   894dfc               | mov                 dword ptr [ebp - 4], ecx

        $sequence_7 = { ff5010 8bc8 85c9 7437 8b450c 8d3458 8b01 }
            // n = 7, score = 100
            //   ff5010               | call                dword ptr [eax + 0x10]
            //   8bc8                 | mov                 ecx, eax
            //   85c9                 | test                ecx, ecx
            //   7437                 | je                  0x39
            //   8b450c               | mov                 eax, dword ptr [ebp + 0xc]
            //   8d3458               | lea                 esi, [eax + ebx*2]
            //   8b01                 | mov                 eax, dword ptr [ecx]

        $sequence_8 = { 85f6 7f08 8b0a 52 8b01 ff5004 68???????? }
            // n = 7, score = 100
            //   85f6                 | test                esi, esi
            //   7f08                 | jg                  0xa
            //   8b0a                 | mov                 ecx, dword ptr [edx]
            //   52                   | push                edx
            //   8b01                 | mov                 eax, dword ptr [ecx]
            //   ff5004               | call                dword ptr [eax + 4]
            //   68????????           |                     

        $sequence_9 = { 8d4df3 51 52 8d4e20 e8???????? 8b460c }
            // n = 6, score = 100
            //   8d4df3               | lea                 ecx, [ebp - 0xd]
            //   51                   | push                ecx
            //   52                   | push                edx
            //   8d4e20               | lea                 ecx, [esi + 0x20]
            //   e8????????           |                     
            //   8b460c               | mov                 eax, dword ptr [esi + 0xc]

    condition:
        7 of them and filesize < 832512
}
Download all Yara Rules