216.73.217.22

Indicator (IOC)

yara Revoked AlienVault · Published 21/12/2025 08:44 · Modified 21/12/2025 08:44

Essential information

Value / Name
M_Dropper_PHASEJAM_1
Confidence
100/100
Revoked
Yes
Valid from
09/01/2025 10:03
Valid until
26/10/2025 21:12
Pattern type
yara
Published
21/12/2025 08:44
Modified
21/12/2025 08:44
Author / Source
AlienVault

Description

M_Dropper_PHASEJAM_1 Hunting rule looking for strings identified in the PHASEJAM dropper

Pattern

rule M_Dropper_PHASEJAM_1 {
    meta:
        author = "Mandiant"
        description = "Hunting rule looking for strings identified in the PHASEJAM dropper"
        md5 = "d18e5425ecd9608ecb992606b974e15d"
	strings:
	
		$str1 = "AccessAllow()"
		$str2 = "/jam/getComponent.cgi"
		$str3 = "jam/getComponent.cgi.bak"
		$str4 = "sh=$(echo CnN1Y"
		$str5 = "up=$(echo CnN1Y"
		$str6 = "grep -q 'sub AccessAllow()'"
		$str7 = "cp -f /home/bin/remotedebug /home/bin/remotedebug.bak"
		$str8 = "chmod 777 /home/bin/remotedebug.bak"
		$str9 = "cp -f /home/perl/DSUpgrade.pm /home/perl/DSUpgrade.pm.bak"
		$str10 = "pkill cgi-server"
	condition:
		8 of them and filesize < 20KB
          
}

Labels / Tags

Labels: credential theft dryhook ivanti phasejam spawnant spawnsloth vpn

Marking (TLP)

TLP:CLEAR

Related entities

Reports and intrusion sets linked to this IOC.

Intrusion sets (1)

  • UNC5337
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 ·