Jolly Jellyfish
Common Information
| Type | Value |
|---|---|
| UUID | beddd297-e50f-4f09-8ffb-a31e7589a80c |
| Fingerprint | 96c9b951db4f2b11e94e118c451f9a3181c321be8b9e97f181342ca788d82f0b |
| Analysis status | DONE |
| Considered CTI value | 2 |
| Text language | |
| Published | Feb. 9, 2023, 3:48 p.m. |
| Added to db | Nov. 6, 2024, 11:07 a.m. |
| Last updated | Nov. 6, 2024, 11:09 a.m. |
| Headline | Jolly Jellyfish |
| Title | Jolly Jellyfish |
| Detected Hints/Tags/Attributes | 54/4/50 |
Source URLs
URL Provider
Attributes
| Details | Type | #Events | CTI | Value |
|---|---|---|---|---|
| Details | Domain | 3 | download.google-images.ml |
|
| Details | Domain | 1 | monpass.mn |
|
| Details | Domain | 1 | micsoftin.us |
|
| Details | Domain | 53 | ncsc.gov.uk |
|
| Details | 22 | ncscinfoleg@ncsc.gov.uk |
||
| Details | File | 1 | browser_plugin.exe |
|
| Details | File | 6 | bk.exe |
|
| Details | File | 1 | x37.bmp |
|
| Details | File | 1 | aili.pdf |
|
| Details | File | 8 | all.exe |
|
| Details | File | 1 | 37.bmp |
|
| Details | File | 1 | 83.bmp |
|
| Details | File | 1 | save.bmp |
|
| Details | md5 | 1 | abcd461bdb6a6537b7a36848a87b5ea6 |
|
| Details | md5 | 1 | a241ff3d86925a4a12916b401536b019 |
|
| Details | md5 | 1 | 738f46546f6d4a79e2d917b26bf8a93a |
|
| Details | md5 | 1 | 014dac67e8c32a25ccb024d1d1017b58 |
|
| Details | md5 | 1 | a8c4ac44a5aa9d22319fe4b20cc5e790 |
|
| Details | md5 | 1 | a465f18c7e50500c6b6f94741ef56b2f |
|
| Details | sha1 | 1 | e99d5a620a488133f4da24e1f8d2d5e68542b6f3 |
|
| Details | sha1 | 1 | d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184 |
|
| Details | sha1 | 1 | 834e80f6fa9935fd3184c25e4e37b0a068a773ee |
|
| Details | sha1 | 1 | ba5558d79dadc12bbbe07e3444441d51d5e5931e |
|
| Details | sha1 | 1 | 7c348809e99c0be3ba5c122009a2cd15ad50b7bf |
|
| Details | sha1 | 1 | b5053ceba7e45c956f601e77ed1ca4546f372221 |
|
| Details | sha256 | 1 | f21a9c69bfca6f0633ba1e669e5cf86bd8fc55b2529cd9b064ff9e2e129525e8 |
|
| Details | sha256 | 3 | a7e9e2bec3ad283a9a0b130034e822c8b6dfd26dda855f883a3a4ff785514f97 |
|
| Details | sha256 | 1 | 4a43fa8a3305c2a17f6a383fb68f02515f589ba112c6e95f570ce421cc690910 |
|
| Details | sha256 | 1 | 0df3b6e2535f8bb564183ab4e5e47d9b30ffc0204cc5bda1bae8984cdc418410 |
|
| Details | sha256 | 1 | f0449c41bc3eebb8ea025fafc5b0cd1fcbe9a2d80c447ecc00cf3cab43e1c311 |
|
| Details | sha256 | 1 | 17b4cf337cf4fa466a4a1bdc69795c2f96ef7b42464839dafbaf8502e28a3193 |
|
| Details | IPv4 | 2 | 37.61.205.212 |
|
| Details | IPv4 | 2 | 172.20.10.6 |
|
| Details | MITRE ATT&CK Techniques | 97 | T1497.001 |
|
| Details | MITRE ATT&CK Techniques | 57 | T1497.003 |
|
| Details | MITRE ATT&CK Techniques | 442 | T1071.001 |
|
| Details | MITRE ATT&CK Techniques | 75 | T1001 |
|
| Details | MITRE ATT&CK Techniques | 6 | T1001.002 |
|
| Details | Pdb | 3 | c:\users\test\desktop\fishmaster\x64\release\fishmaster.pdb |
|
| Details | Pdb | 1 | fishmaster.pdb |
|
| Details | Url | 1 | http://37.61.205.212:8880/dow/aili.pdf |
|
| Details | Url | 1 | https://monpass.mn/storage/uploads/download_files/monpass.client.inst |
|
| Details | Url | 1 | http://download.google-images.ml:8880/downloa/37.bmp |
|
| Details | Url | 1 | http://download.google-images.ml:8880/download/x37.bmp |
|
| Details | Url | 1 | http://micsoftin.us:2086/dow/83.bmp |
|
| Details | Url | 1 | http://172.20.10.6/save.bmp |
|
| Details | Yara rule | 1 | rule JollyJellyfish_unique_messagebox_display_string {
meta:
author = "NCSC"
description = "Detects the string displayed by the message box in
some variants of Jolly Jellyfish"
date = "2021-12-15"
hash1 = "d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184"
hash2 = "834e80f6fa9935fd3184c25e4e37b0a068a773ee"
strings:
$popuptext = { E4 AF C0 C0 C6 F7 B2 E5 BC FE D2 D1 BE AD B3 C9 B9 A6 B8 FC D0 C2 A3 AC C7 EB D6 D8 C6 F4 E4 AF C0 C0 C6 F7 A3 A1 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and all of them
} |
|
| Details | Yara rule | 1 | rule JollyJellyfish_check_memory_greater_1gb {
meta:
author = "NCSC"
description = "Detects Jolly Jellyfish check for memory being
greater than 1GB"
date = "2021-12-15"
hash1 = "e99d5a620a488133f4da24e1f8d2d5e68542b6f3"
hash2 = "d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184"
hash3 = "834e80f6fa9935fd3184c25e4e37b0a068a773ee"
hash4 = "ba5558d79dadc12bbbe07e3444441d51d5e5931e"
strings:
$1 = { 33 D2 48 8B 44 ?? 38 B9 00 04 00 00 48 F7 F1 33 D2 B9 00 04 00 00 48 F7 F1 89 44 ?? ?? 81 7C ?? ?? 00 04 00 00 }
$2 = { 48 8B 44 ?? 38 48 C1 E8 14 ?? 00 04 00 00 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and any of them
} |
|
| Details | Yara rule | 1 | rule JollyJellyfish_pdb_string {
meta:
author = "NCSC"
description = "Detects the Jolly Jellyfish PDB string"
date = "2021-12-15"
hash1 = "e99d5a620a488133f4da24e1f8d2d5e68542b6f3"
hash2 = "834e80f6fa9935fd3184c25e4e37b0a068a773ee"
hash3 = "d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184"
hash4 = "ba5558d79dadc12bbbe07e3444441d51d5e5931e"
strings:
$pdb = "fishmaster.pdb"
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and any of them
} |
|
| Details | Yara rule | 1 | rule JollyJellyfish_identify_shellcode_start_addr {
meta:
author = "NCSC"
description = "Detects Jolly Jellyfish finding the start address
of the shellcode in the downloaded data"
date = "2021-12-15"
hash1 = "e99d5a620a488133f4da24e1f8d2d5e68542b6f3"
hash2 = "d28eacb1b4d2e9ef54f7dff09ca03a6866fc9184"
hash3 = "834e80f6fa9935fd3184c25e4e37b0a068a773ee"
hash4 = "ba5558d79dadc12bbbe07e3444441d51d5e5931e"
strings:
$1 = { 48 89 84 24 ?? 00 00 00 48 8B 84 24 ?? 00 00 00 8B 40 0A 48 8B 4C 24 ?? 48 8D 44 01 03 }
$2 = { 8B 43 0A 48 83 C0 03 48 03 D8 }
condition:
uint16(0) == 0x5A4D and uint32(uint32(0x3c)) == 0x00004550 and any of them
} |