The Fragus Exploit Kit Detection rule identifies potential exploitation attempts by malicious JavaScript payloads commonly associated with the Fragus Exploit Kit, which is used to deliver malware to compromised systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect and mitigate early-stage attacks that may evade traditional detection methods.
YARA Rule
rule fragus_js2 : EK
{
meta:
author = "Josh Berry"
date = "2016-06-26"
description = "Fragus Exploit Kit Detection"
hash0 = "f234c11b5da9a782cb1e554f520a66cf"
sample_filetype = "js-html"
yaragenerator = "https://github.com/Xen0ph0n/YaraGenerator"
strings:
$string0 = "(ELI6Q3PZ"
$string1 = "SnJTbVJqV2tOa09VbGZSMHcwY0ZWZmRrRjBjRFY0Y3psVmNGVjROWGhBV0RZNGJWZzBVa1J4TjNCVlgwVmlhRjkyZURaS1NWOUhj"
$string2 = "eFgweDNaek5YZDFkaWFtTlhZbDlmV2tGa09Va3pSMlEyT0dwSFFIQlZRblpEYzBKRWNFeGZOVmx6V0RSU1JEYzJjRlY0TVY5SFkw"
$string3 = "VUpKUVdWS05ISlZjMXBTTUdWRlNFQmpaMjlrVDBCTFYzY3pZbGRpZG5oeldFUndkSE16YjB4M2JXSnFZMWRpZVY4ellreDNaMko1"
$string4 = "((Yuii37DWU"
$string5 = "YURVNFZXUlhjRlZDZGxsQVJ6UlNaRTlBUzFkM00ySlhiekU0ZEhnMWNrUjZZM0kyWDNaQmJGZ3hNMGxrTmpoVGVqRlpkSEUyV1dW"
$string6 = "String.fromCharCode(ZZeD3LjJQ);}else if(QIyZsvvbEmVOpp"
$string7 = "1);ELI6Q3PZ"
$string8 = "));Yuii37DWU"
$string9 = ");CUer0x"
$string10 = "T1ZaQ05IUkRTVGhqT1VWd1ZWOUpRMlZLZG5oNlQwQkxWM2N6WWxkQmRrRkFPVmR3VlRsYWJsWnNOWGhKT1ZkeFZWazFRbEU1UlZK"
$string11 = "TlpkM2wxS3lzcExUUTRYU2s4UEhocFVqRk9jazA3SUdsbUtIaHBVakZPY2swcGV5QkdWek5NVnlzOVVrSklWVE0wVDJ0NlpTZzJP"
$string12 = "String.fromCharCode(((eMImGB"
$string13 = "RGRDUkV0WFV6VkJkRkV4WHpCalYwRkhhRFk0YW5wamNqWmZka0ZzV0RaSWExZzBXWEZDUlZsQVpEWkJOMEoyZUhwd1duSlRXVE5J"
$string14 = "SCpMaWXOuME(mi1mm8bu87rL0W);eval(Pcii3iVk1AG);</script></body></html>"
$string15 = "Yuii37DWU"
$string16 = "Yuii37DWU<<12"
$string17 = "eTVzWlc1bmRHZ3NJRWhWUnpWRlJuRkZSRVUwUFRFd01qUXNJR2hQVlZsRVJFVmxVaXdnZUVKU1FscE1ORzF3Y21SMGJpd2dSbGN6"
condition:
17 of them
}This YARA rule can be deployed in the following contexts:
This rule contains 18 string patterns in its detection logic.
Scenario: Legitimate JavaScript Library Usage
Description: A developer is using the fragus_js2 library as part of a legitimate front-end framework or third-party service.
Filter/Exclusion: Check for known legitimate domains or packages (e.g., npm package fragus_js2), or filter by file paths common to development environments (e.g., /var/www/html/js/fragus_js2.js).
Scenario: Scheduled Job Execution
Description: A scheduled job or automation script is using fragus_js2 to perform routine tasks like data processing or report generation.
Filter/Exclusion: Filter by process owner (e.g., root, system, or specific service accounts), or check for known job scheduling tools like cron, systemd, or Task Scheduler.
Scenario: Admin Task with JavaScript
Description: An administrator is using fragus_js2 to debug or test scripts in a secure environment.
Filter/Exclusion: Filter by user context (e.g., admin, root), or check for presence of administrative tools like Wireshark, tcpdump, or strace in the same process tree.
Scenario: Legacy System Compatibility Testing
Description: A security team is testing compatibility of legacy systems with fragus_js2 during a migration or update process.
Filter/Exclusion: Filter by time window (e.g., during a scheduled maintenance window), or check for presence of testing tools like Selenium, JMeter, or Postman.
Scenario: Malicious Payload Misidentification
Description: A legitimate payload with similar string patterns to fragus_js2 is being used in a red team exercise or penetration test.
Filter/Exclusion: Filter by source IP (