Keypoints
- New SysJoker variants were observed in 2023, including a variant rewritten in Rust and additional Windows samples not previously publicized.
- The malware retrieves an encrypted C2 configuration hosted on OneDrive, decodes it (base64 + XOR) to obtain HTTP(S) C2 endpoints, enabling dynamic changes to infrastructure.
- Persistence is established via a registry Run key created through the WMI StdRegProv interface using PowerShell, and the initial execution copies the binary to ProgramData and re-executes it from the persistent path.
- The main C2 loop registers the bot (receives a token) and polls API endpoints (/api/req, /api/cr) for JSON-encoded actions; commands include downloading zip archives, extracting with Expand-Archive, and executing payloads from ProgramData.
- Two string-decryption methods are used: a reusable base64+XOR scheme and a more complex inlined compile-time decryption; random sleep intervals are used as possible anti-analysis measures.
- Windows variants include multi-stage flows (DMADevice: downloader → installer → payload DLL) and a downloader/backdoor split (AppMessagingRegistrar) that uses tokens in Authorization headers and DLL exports to execute operator-supplied logic.
MITRE Techniques
- [T1547.001] Registry Run Keys / Startup Folder – Persistence created via WMI StdRegProv to set a Run key: ‘…$reg=[WMIClass]’ROOTDEFAULT:StdRegProv’; $results=$reg.SetStringValue(‘&H80000001′,’SoftwareMicrosoftWindowsCurrentVersionRun’, ‘php-cgi’, ‘C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe’);’
- [T1059.001] PowerShell – Used to launch the copied executable and to unzip/execute payloads and set persistence via WMI: ‘-Command C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe’ and ‘powershell -Command Expand-Archive -Path C:ProgramDataphp-Win32-libsXMfmF.zip -DestinationPath C:ProgramDataphp-Win32-libs ; start C:ProgramDataphp-Win32-libsexe_name.exe’
- [T1102] Use of Web Services – OneDrive used to host an encrypted config that contains the C2 address: ‘https://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112&authkey=!AED7TeCJaC7JNVQ’
- [T1105] Ingress Tool Transfer – Downloading of archives and DLLs from C2-controlled URLs and cloud-hosted locations, then extracting and executing them: ‘http://85.31.231[.]49/archive_path’ and ‘https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip’
- [T1027] Obfuscated Files or Information – Strings and configuration are stored encrypted (base64 + XOR) and decoded at runtime: ‘KnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr’ (XOR/base64 blob)
- [T1071.001] Application Layer Protocol: Web Protocols (HTTP/S) – C2 communication and command exchange use HTTP(S) JSON endpoints (/api/attach, /api/req, /api/cr) and POST/GET requests: ‘{“url”:”http://85.31.231[.]49:443″}’
Indicators of Compromise
- [IP] C2 and infrastructure – 85.31.231[.]49 (C2 returned from OneDrive), 62.108.40[.]129 (infrastructure host)
- [Domain] Hosting and distribution – sharing-u-file[.]com (C2 domain), filestorage-short[.]org (zip distribution), and audiosound-visual[.]com
- [File name] Deployed filenames and persistence targets – php-cgi.exe (Rust sample deployed to ProgramData), DMASolutionInc.exe (DMADevice variant copy), AppMessagingRegistrar.exe (payload from downloader)
- [Hashes] Sample binaries – 9416d7dc2ecdeda92ba35cd5e54eb044 (Rust php-cgi sample), d51e617fe1c1962801ad5332163717bb (DMADevice sample), and 6 more SHA256 hashes listed in the report
The malware’s runtime procedure begins with an execution-location check: if not already running from C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe the sample copies itself to that ProgramData path, launches the copy via PowerShell (-Command C:ProgramDataphp-7.4.19-Win32-vc15-x64php-cgi.exe), creates persistence by writing a Run key into HKEY_CURRENT_USER through the WMI StdRegProv interface, and then exits. At persistent startup the binary contacts a hardcoded OneDrive URL (hosted as an encrypted base64 blob), decodes the response with XOR + base64 to reveal a JSON C2 address (example: {“url”:”http://85.31.231[.]49:443″}), and registers to the C2 (/api/attach or /api/add) sending system info to receive a unique token used for subsequent communication.
The main C2 loop posts the token to endpoints such as /api/req or /api/cr, receives JSON containing a data array of actions (each with an id and a request JSON with url and name), then downloads specified zip archives, extracts them via PowerShell Expand-Archive into C:ProgramDataphp-Win32-libs, and launches the extracted executable (start C:ProgramDataphp-Win32-libsexe_name.exe). Earlier variants also supported executing arbitrary operator commands; the Rust rewrite retains download-and-execute functionality but lacks remote command execution. String and configuration obfuscation uses two methods: a reusable base64+XOR scheme (shared XOR keys observed across samples) and a complex inlined compile-time string obfuscation sprinkled throughout the binary; the malware also uses randomized sleep intervals as an anti-analysis measure.
Windows variants present additional procedural details: the DMADevice sample implements a three-stage flow (setup and persistence using a downloaded encrypted config saved as DMASolutionInc.dll, registration via /api/add, then a C2 loop capable of running commands or downloading/executing files), while the AppMessagingRegistrar family splits functionality into a lightweight downloader and a backdoor that uses an Authorization: Bearer [TOKEN] header, supports a status_num control flag (0: setup, 1: idle, 3: payload retrieval, 4: payload execution), downloads DLLs via UrlDownloadToFileW, loads them and invokes exported functions (init/step or st) to perform the main backdoor actions, and reports execution output back to /api/requests/[ID]. Read more: https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/