SYMBOLCOMMON_NAMEaka. SYNONYMS
win.tonerjam (Back to overview)

TONERJAM

VTCollection    

According to Symantec, Grager was deployed against three organizations in Taiwan, Hong Kong, and Vietnam in April 2024. Analysis of the backdoor revealed that it used the Graph API to communicate with a C&C server hosted on Microsoft OneDrive. Grager was downloaded from a typosquatted URL mimicking the open-source file archiver 7-Zip.

References
2024-08-07SymantecThreat Hunter Team
Cloud Cover: How Malicious Actors Are Leveraging Cloud Services
GoGra Grager MOONTAG Ondritols TONERJAM
2024-04-04MandiantAshley Pearson, Austin Larsen, Billy Wong, John Wolfram, Joseph Pisano, Josh Murchie, Lukasz Lamparski, Matt Lin, Ron Craft, Ryan Hall, Shawn Chew, Tyler McLellan
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
BRICKSTORM TONERJAM UNC3569 UNC5266 UNC5291 UNC5330 UNC5337 UTA0178
2024-04-04MandiantAshley Pearson, Austin Larsen, Billy Wong, John Wolfram, Joseph Pisano, Josh Murchie, Lukasz Lamparski, Matt Lin, Ron Craft, Ryan Hall, Shawn Chew, Tyler McLellan
Cutting Edge, Part 4: Ivanti Connect Secure VPN Post-Exploitation Lateral Movement Case Studies
BRICKSTORM TONERJAM
Yara Rules
[TLP:WHITE] win_tonerjam_auto (20260504 | Detects win.tonerjam.)
rule win_tonerjam_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.tonerjam."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 4933fa 4b87bcfe601d0200 33c0 488b5c2450 488b6c2458 }
            // n = 5, score = 100
            //   4933fa               | inc                 edx
            //   4b87bcfe601d0200     | mov                 cl, byte ptr [edx + esi*8 + 0x3d]
            //   33c0                 | inc                 esp
            //   488b5c2450           | lea                 eax, [edx + 0x14]
            //   488b6c2458           | inc                 esp

        $sequence_1 = { 4889442420 488bd3 498bce ff15???????? b801000000 }
            // n = 5, score = 100
            //   4889442420           | vmulsd              xmm1, xmm1, qword ptr [ecx + eax*8]
            //   488bd3               | dec                 esp
            //   498bce               | lea                 ecx, [0x94c5]
            //   ff15????????         |                     
            //   b801000000           | vmulsd              xmm0, xmm1, xmm1

        $sequence_2 = { 4889442420 ff15???????? 85c0 7431 488b4c2458 488d442440 4533c9 }
            // n = 7, score = 100
            //   4889442420           | lea                 esi, [0x10c6f]
            //   ff15????????         |                     
            //   85c0                 | mov                 dword ptr [ebx + 0x50], esi
            //   7431                 | inc                 dword ptr [ecx + 0x470]
            //   488b4c2458           | cmp                 dword ptr [ecx + 0x470], 2
            //   488d442440           | je                  0x15d5
            //   4533c9               | mov                 ebp, 0x20

        $sequence_3 = { 83b97004000002 0f84e7010000 bd20000000 4c8d35520a0100 897350 89732c }
            // n = 6, score = 100
            //   83b97004000002       | lea                 eax, [0x9f95]
            //   0f84e7010000         | inc                 ecx
            //   bd20000000           | mov                 ecx, 0x1b
            //   4c8d35520a0100       | dec                 eax
            //   897350               | add                 esp, 0x20
            //   89732c               | pop                 ebx

        $sequence_4 = { 488d5560 41b808020000 ff15???????? 488d4d60 ff15???????? 660f6f05???????? }
            // n = 6, score = 100
            //   488d5560             | lea                 eax, [ecx - 1]
            //   41b808020000         | mov                 eax, dword ptr [edx + eax*4 + 0x18968]
            //   ff15????????         |                     
            //   488d4d60             | test                eax, eax
            //   ff15????????         |                     
            //   660f6f05????????     |                     

        $sequence_5 = { 448d4220 ff15???????? 660f6f05???????? 488d45a0 660f6f0d???????? }
            // n = 5, score = 100
            //   448d4220             | jne                 0x143a
            //   ff15????????         |                     
            //   660f6f05????????     |                     
            //   488d45a0             | mov                 dword ptr [esp + 0x50], ebp
            //   660f6f0d????????     |                     

        $sequence_6 = { eb0b 4803f6 418b84f718a40100 85c0 7816 3de4000000 730f }
            // n = 7, score = 100
            //   eb0b                 | lea                 ecx, [0xc2e7]
            //   4803f6               | mov                 ebx, edx
            //   418b84f718a40100     | dec                 esp
            //   85c0                 | lea                 eax, [0xc2d6]
            //   7816                 | dec                 eax
            //   3de4000000           | mov                 edi, ecx
            //   730f                 | dec                 eax

        $sequence_7 = { 4883f8ff 74c8 488bd3 4c8d0512e80000 83e23f 488bcb }
            // n = 6, score = 100
            //   4883f8ff             | movapd              xmm0, xmm1
            //   74c8                 | dec                 esp
            //   488bd3               | lea                 ecx, [0xc4e0]
            //   4c8d0512e80000       | mov                 ecx, 0x1c
            //   83e23f               | dec                 esp
            //   488bcb               | lea                 eax, [0xc4d0]

        $sequence_8 = { f30f6f40c0 660fefc8 f30f7f48c0 660f6fca f30f6f40d0 660fefc2 }
            // n = 6, score = 100
            //   f30f6f40c0           | dec                 eax
            //   660fefc8             | lea                 ecx, [0x192d9]
            //   f30f7f48c0           | dec                 eax
            //   660f6fca             | lea                 ecx, [0x192d5]
            //   f30f6f40d0           | dec                 eax
            //   660fefc2             | lea                 ecx, [0x11ae0]

        $sequence_9 = { 33d2 48897c2430 89442428 4c8d8590050000 448bcb 40883e 4889742420 }
            // n = 7, score = 100
            //   33d2                 | mov                 eax, 0x101
            //   48897c2430           | inc                 ecx
            //   89442428             | mov                 eax, esi
            //   4c8d8590050000       | dec                 ebp
            //   448bcb               | lea                 ecx, [ebp + 0x10]
            //   40883e               | dec                 esp
            //   4889742420           | lea                 edi, [0x13484]

    condition:
        7 of them and filesize < 315392
}
[TLP:WHITE] win_tonerjam_w0   (20241029 | No description)
rule win_tonerjam_w0 {
    meta:
        author = "Mandiant"
        source = "https://cloud.google.com/blog/topics/threat-intelligence/ivanti-post-exploitation-lateral-movement"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.tonerjam"
        malpedia_version = "20241029"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
        
    strings:
        $p00_0 = {e9[4]488b41??668338??75??4883c0??488941??b8[4]eb??b8}
        $p00_1 = {8030??488d40??41ffc14183f9??72??ba[4]488d4c24??e8[4]488d0d}

    condition:
        uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and
        (
            ($p00_0 in (17000..28000) and $p00_1 in (3700..14000))
        )
}
Download all Yara Rules