Equation Group hack tool leaked by ShadowBrokers- file jscan

Hunt Hypothesis

The jscan file detected by the rule is likely a reconnaissance tool used by advanced adversaries to scan for vulnerable systems, indicating potential exploitation of known weaknesses. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify early signs of targeted attacks and mitigate potential breaches.

YARA Rule

rule EquationGroup_jscan {
   meta:
      description = "Equation Group hack tool leaked by ShadowBrokers- file jscan"
      author = "Florian Roth"
      reference = "https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1"
      date = "2017-04-08"
      hash1 = "8075f56e44185e1be26b631a2bad89c5e4190c2bfc9fa56921ea3bbc51695dbe"
   strings:
      $s1 = "$scanth = $scanth . \" -s \" . $scanthreads;" fullword ascii
      $s2 = "print \"java -jar jscanner.jar$scanth$list\\n\";" fullword ascii
   condition:
      filesize < 250KB and 1 of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 3 string patterns in its detection logic.

References

• https://medium.com/@shadowbrokerss/dont-forget-your-base-867d304a94b1
• Source Rule

False Positive Guidance

• Scenario: Legitimate scheduled job using jscan tool for system diagnostics
  Filter/Exclusion: Exclude processes initiated by the system scheduler (e.g., at, cron, or task scheduler) or processes with a known legitimate parent process (e.g., systemd, services.msc).

• Scenario: Security team using jscan for forensic analysis
  Filter/Exclusion: Exclude processes executed from a known security team directory (e.g., /opt/security_tools/, C:\SecurityTools\) or with a user account associated with the security team (e.g., security_admin).

• Scenario: Admin task to clean up old log files using jscan
  Filter/Exclusion: Exclude processes where the command line includes log cleanup parameters (e.g., --clean, --delete) or executed from a known admin script directory (e.g., /scripts/admin/, C:\AdminScripts\).

• Scenario: Legitimate use of jscan by a third-party security tool
  Filter/Exclusion: Exclude processes where the parent process is a known third-party security tool (e.g., Sophos, CrowdStrike, Kaspersky) or where the file path is within a trusted vendor directory.

• Scenario: Automated patching tool using jscan to verify system integrity
  Filter/Exclusion: Exclude processes where the command line includes patching or integrity check flags (e.g., --verify, --patch) or executed from a known patching tool directory (e.g., /patch_tools/, C:\PatchTools\).