Common Information
| Type | Value |
|---|---|
| Value |
rule JollyJellyfish_identify_shellcode_start_addr {
meta:
author = "NCSC"
description = "Detects Jolly Jellyfish finding the start address
of the shellcode in the downloaded data"
date = "2021-12-15"
hash1 = "e99d5a620a488133f4da24e1f8d2d5e68542b6f3"
hash2 = "d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184"
hash3 = "834e80f6fa9935fd3184c25e4e37b0a068a773ee"
hash4 = "ba5558d79dadc12bbbe07e3444441d51d5e5931e"
strings:
$1 = { 48 89 84 24 ?? 00 00 00 48 8B 84 24 ?? 00 00 00 8B 40 0A 48 8B 4C 24 ?? 48 8D 44 01 03 }
$2 = { 8B 43 0A 48 83 C0 03 48 03 D8 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and any of them
}
|
| Category | |
| Type | Yara Rule |
| Misp Type | |
| Description |