Analysis

  • max time kernel
    642s
  • max time network
    653s
  • platform
    windows10-1703_x64
  • resource
    win10-20230220-en
  • resource tags

    arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
  • submitted
    13-04-2023 14:26

General

  • Target

    script.ps1

  • Size

    28KB

  • MD5

    5201bec05304172eb34578a483da40da

  • SHA1

    e4a91fd21e16639f759009a17e1f37df5c89f2b4

  • SHA256

    5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458

  • SHA512

    7ea8de19029a90502fd6a472e1b449cdbf017a19e679d3383b34aea2af1e392de6216934640fd9d8c47fb8553759cde0880291ff2d187081ff9896746a276353

  • SSDEEP

    768:gPPLA+zYgibawLt4CGwmGGler9PdnH1LiGK:eT7zgbaItpdmGKyxdnViR

Malware Config

Extracted

Family

jupyter

Version

OC-8

C2

http://37.221.114.23

Signatures

  • Jupyter Backdoor/Client payload 1 IoCs
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

  • Blocklisted process makes network request 21 IoCs
  • Drops startup file 1 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1
    1⤵
    • Blocklisted process makes network request
    • Drops startup file
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES618D.tmp" "c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP"
        3⤵
          PID:3576

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES618D.tmp

      Filesize

      1KB

      MD5

      90f78bb940a4b01dda650b86097b948b

      SHA1

      e3828a76059b8a7a5a197da0cde7acac6ec79c23

      SHA256

      4c94e3efadc2a9674a3082ce77f8b5e441da143149315c15058ab37703d73ea1

      SHA512

      7889708aea0ef18425f5b10328354b7199119f85dbc3eaef01ce2e7bbcf5019f6ab5fc75b853560c570ca315c46f0a65c3c89742b16846ad14a92dee07030eec

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gayoq4ud.szc.ps1

      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.dll

      Filesize

      3KB

      MD5

      73520d2b97645d9989fb0f5bb1aba355

      SHA1

      84ece3730dcdc6ae9dc336f397f43d1ec61dbce6

      SHA256

      d39562cabdf944a784e353b60c0e9ecbccb0102ff718aae74e0ef38b2efcdefa

      SHA512

      478138a3b2a427d07c99aae399e79eadbeb66386f5d5dc5d8b8c2883fe8536ad3ed0583f10eed5a8254bebd863c130f19c61341f0a4a86e1387fae90949b07ba

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\AFqJfBoXcuCSZtsT.YoiMWFrqHSLzjkCexb

      Filesize

      146KB

      MD5

      67502090d0cf262d4a14c19dfe69f524

      SHA1

      9b87390eed9e8afdf246e9148022244277ef5b13

      SHA256

      07fef04ad77fe166172937b8e9e38c2a9558a5c9da152f8430e122b54e7d83de

      SHA512

      2af2fb8620e95c04c2c6011370c6b5ee581cd91a04415a79f8f355baa59c6a682148c810a769bedd73d510c67d48921831d68fcc22c4eb8ae63ca09f7f339556

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ASZQaXouDB.RkaAzwDjeUdspfto

      Filesize

      133KB

      MD5

      acb79c1192de5be950567a971a40b5b9

      SHA1

      a19d8aad3dd2ef9560489972141be7d78e5d04b1

      SHA256

      01b4f03cb41dc3881dd052e466b528ac7073661aeef24596f480614fa7eb8e32

      SHA512

      88fa9bdcfa5ac8a81e36191e0bbb159b4bbd66a4f7bd26c28891bd76b68cfccb12f1989ff6772f792812d0c11ee82b9cc274a2a2ccebdf5bfde0747aaaaa593d

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\DKgktXvNZPFr.RGQqJyjbphVErkPTA

      Filesize

      171KB

      MD5

      27ae639baac5a409329887445c77646f

      SHA1

      8870aca8b8b0972c72f6ed23b07556ac83439558

      SHA256

      555d9fab18e5be0bffcb8cb097286be783bf4c8479b71cc33e382743c686ed54

      SHA512

      7434209a5e41842148d17c051c8ea17492b7949bcca5bc1334fb82f744bfbb449648f601ae805fd21efe04749d0e335c68d288add0a79566b24051096ff6e2c0

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\LnerWMBgjOSDcPliyzT.VtcNxBAgkWa

      Filesize

      172KB

      MD5

      e2ff7820f8b7579747a670419a3aa125

      SHA1

      c09f64cd5dc0513804d6bebcb1c8c006c73fcc82

      SHA256

      7dabd2c07f0659c4eac0213a444e1ee2d587233858ce57edafa5ac381cb5b662

      SHA512

      f28882cff20694499f5a44d1bb2c80a127d57a21015dd855bcc9223630095ed8410ec63a3c8441b6f4112a848fc9868e7d8ab9b1d8a5af74fa1443bae41015a1

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\MlUejLxHGgWDzqpS.VAMEOGeaouZvLrFcht

      Filesize

      133KB

      MD5

      1139720144032052eb01c6741a039197

      SHA1

      5f1425d9261ec400d90743a91f5fe9674caa5c4d

      SHA256

      0d3805f498980feb2c2b247990fee00b217609850bb892be1ed2af3588577434

      SHA512

      928987d79463fdf02a65629089b7d8f8891b1e356e8e475799ec1554ef9f84bf0faa455f8fa460f87e9a6ef26510a324380e4515a11f974117e55750bb01f09a

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\bBVJEpqwhSOFXIGYm.uHSbcxtRyWIhlps

      Filesize

      192KB

      MD5

      a057f748414f4673fe67793265d72453

      SHA1

      e856da5a9a93b6e7f02e9aec8459dc1b471abca3

      SHA256

      440714233f9df4549f0a6821152a74f8fb6f31519637cbfc9c2a71692f93cc80

      SHA512

      a27a17edee733605754fdbdee955a606d5c0544eed7e14fa6d82da83e1808ec306a67e490c4d1b140f374ecb532943048b9b7476a0ef3d7b7630014174c78121

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ftTzqRAwCP.rckJNulozCVsPaMX

      Filesize

      132KB

      MD5

      93035478adf3b3aafdd26edfd09b53b3

      SHA1

      79c924286ddb2e1d3f808437d777b06f061bb737

      SHA256

      449161c6e76077628f02136ecc85b324a8a95aa59db6514607c157b7b7e3c9b1

      SHA512

      5c56c022a828933f79c827f1cebc9111976d92454ae2b6ff5672f05bf672dcd649d852e33678bae5e5f1260152439d094cc1c1e2ba6de999bcb475e5442b72b2

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\jbohTScZsKkXNRuzQ.UsadtGHOvVqoukKhPcW

      Filesize

      157KB

      MD5

      e155224cda1a9854fe57af90bcb5b475

      SHA1

      d8030992f15f0aba20e51bce03cfd58b0be4df88

      SHA256

      7ca9fcf2fbbc599995b31849698b909602e8cacd501f4bfbfa3ca7d0e504b028

      SHA512

      e00a6202a841bd1d6180a62ccade7340cb4ac1ecf7829bc64d60909f9c5ce8f8b2720155676a41833149efa586343811d9fb897fb3d504b33f25929a4a11db78

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\oUbxfLjgKmXrdcT.FfHSadwzqrZTLg

      Filesize

      89KB

      MD5

      a30104996081729cabdca7b08655e843

      SHA1

      dbc4fd5547f6d8c5365d7d6cca65d44647d868ba

      SHA256

      f3e32db459cab4f0db05919cc9f0652caf6eeaeeca25af82e843c7282f473ded

      SHA512

      68f7d7061acd8b367a7d44c9a20462621628c8d948d80c663ff8d16cba1edf7313001aec4591e39b5c7580b6dea675b673b4755915d2078886f1d85b65bf3257

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\yeIhBUKQbW.iStXzqQUYKaDCn

      Filesize

      132KB

      MD5

      16367ac998221144710b9ffd6d031b17

      SHA1

      699746b2bf59a22205f4882b0528190b08ada96d

      SHA256

      14079a86451292bda035cc4cd17638b4ef4edaa4a6ced9d81b1f10a1377607de

      SHA512

      51452d16ff6b632d8c3982a2dba2de63c6fc386010c7a6fbbfca2c93af5e47460d717296b2c940618e5b7c15314d4b419bbadfacfbe8db55fb582e22c98c21e3

    • C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\zNadBQkwFgH.BYydUsvQFngElaxMeNt

      Filesize

      69KB

      MD5

      0dd9a25dc9e735a89b895f1fe87633ff

      SHA1

      91bdb2d46c6d96b97032e6726e896fcffd3fa1fb

      SHA256

      b7a430f41cabcf2d1cc9905c7db08887a8f8861f9a98cd097762272412760ec6

      SHA512

      1922bb2d7a371ad0b5a1470df88eb3a0b934ed1e361d0c05900f08b04d2aeb13e6cdd585ea0a2a027067572ea90e3ca4b514b01fa927e6a2e86eaf168f083f3d

    • \??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP

      Filesize

      652B

      MD5

      244e097abf9183ad1e323ed52c620503

      SHA1

      be6815fe1b4930e5ccf4ea9477b61938b36f4c67

      SHA256

      5455ec4c2d6b5f5dba18ec1d2870ec3d47ad993174f0f21e19fb0a6e502f60d6

      SHA512

      2e61664cd3b946c133bd6dcc7adbc000dfb51f90964e0c7b6c91ca4f8fc2e683c946a3bd62c76d3237ca5f4ddd66bce277aea4dd788c10a62155d5d72ffced07

    • \??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.0.cs

      Filesize

      236B

      MD5

      dae076349c85f1ed8db78fd3bd75473c

      SHA1

      33be9fc7f764edae76f95fe28f452b740a75d809

      SHA256

      9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156

      SHA512

      ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923

    • \??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline

      Filesize

      369B

      MD5

      b82b3c610b1bd22fea2daca6e6fcbaea

      SHA1

      6f18be10592e3d1a4da6343ddcac726f9329ac4f

      SHA256

      16319d856ba93120b0e55efcfe44abadc942751e8afb5956d5ddc5a535489e5e

      SHA512

      7246e8d7b9f86dc034fa5ef5f28547c08a6f6394a8b18002b2c0dc04709aaf3d12bd42600f1c3a0d17efd410ee7f993f493eaac35d034ed60a8d566159ddddf9

    • memory/4452-125-0x000001C947260000-0x000001C947282000-memory.dmp

      Filesize

      136KB

    • memory/4452-128-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB

    • memory/4452-194-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB

    • memory/4452-132-0x000001C947390000-0x000001C947406000-memory.dmp

      Filesize

      472KB

    • memory/4452-127-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB

    • memory/4452-159-0x000001C9471A0000-0x000001C9471A8000-memory.dmp

      Filesize

      32KB

    • memory/4452-362-0x000001C9471E0000-0x000001C9471F2000-memory.dmp

      Filesize

      72KB

    • memory/4452-367-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB

    • memory/4452-368-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB

    • memory/4452-369-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

      Filesize

      64KB