jupyter | 37abfb895661e2bf39b8c68145b7d6b07e87401941dc64a3b27dd796e26f24ee

General

Target

extracted-1.ps1
Size

756KB
MD5

54a16f3dc4fc71077791305aebffef92
SHA1

ce8789f854d83627f13dd4a257e63c9d0de8805f
SHA256

37abfb895661e2bf39b8c68145b7d6b07e87401941dc64a3b27dd796e26f24ee
SHA512

d06aa0604fdc1adb43d45ce170aabb4cb1605d96792ab055b873824963a4dec2da8f95bd58197977cf8b53c7c9d51722aee56273afec99068f8b3ac89d1b0d39
SSDEEP

12288:ZdZV/VY1zxCLwFCRGnwt2DD/w8EiGK9H6KR6jptxAVdYkXqxqIgztrj:tbLXRGwtHFiJ9N6BnHqBv

Score

10^/10

jupyter backdoor discovery execution stealer trojan

Malware Config

Extracted

Family

jupyter

C2

http://185.94.191.54

Signatures

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 10 IoCs

Processes:

powershell.exe

flow	pid	process
8	4992	powershell.exe
70	4992	powershell.exe
77	4992	powershell.exe
82	4992	powershell.exe
84	4992	powershell.exe
85	4992	powershell.exe
86	4992	powershell.exe
87	4992	powershell.exe
88	4992	powershell.exe
89	4992	powershell.exe

Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

dist13142.exeNFWCHK.exe

pid process

2180 dist13142.exe
4576 NFWCHK.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4992 powershell.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

dist13142.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dist13142.exe
Modifies Control Panel 1 IoCs
evasion

Processes:

dist13142.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\MuiCached dist13142.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid process

4992 powershell.exe
4992 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 4992 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

dist13142.exe

pid process

2180 dist13142.exe
2180 dist13142.exe

pid	process
2180	dist13142.exe
4576	NFWCHK.exe

pid	process
4992	powershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dist13142.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\Desktop\MuiCached	dist13142.exe

pid	process
4992	powershell.exe
4992	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4992	powershell.exe

pid	process
2180	dist13142.exe
2180	dist13142.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

powershell.exedist13142.exe

description	pid	process	target process
PID 4992 wrote to memory of 2180	4992	powershell.exe	dist13142.exe
PID 4992 wrote to memory of 2180	4992	powershell.exe	dist13142.exe
PID 4992 wrote to memory of 2180	4992	powershell.exe	dist13142.exe
PID 2180 wrote to memory of 4576	2180	dist13142.exe	NFWCHK.exe
PID 2180 wrote to memory of 4576	2180	dist13142.exe	NFWCHK.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\extracted-1.ps1
1⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Users\Admin\AppData\Local\Temp\dist13142.exe
  "C:\Users\Admin\AppData\Local\Temp\dist13142.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Control Panel
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    C:\Users\Public\Documents\Wondershare\NFWCHK.exe
    3⤵
    - Executes dropped EXE
    PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
2KB

MD5
3b3957125a3a4c51e4dc0a94391949ef

SHA1
265c04978195f8e2084168e90f7990cc0af04e35

SHA256
226a3790444013e7887d84e350ca9ff24cb7b05fcb53f2319035d9268866c522

SHA512
c9f94f07a354b9daeb0491550cc7d70e4a089592005227ca7125bb624c54602e38f6a1ae5733df69c105687f2f19ab00ab27d98b3da90f07ea30960d715e28e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wondershare\WAE\wsWAE.log

Filesize
546B

MD5
8cb7a3888542b5df53fe555eb7d68fc3

SHA1
5cc2f4484b805185cc9dd3c245d2b0bc0e73c22f

SHA256
446ccc7c085340c75cc1d78d43387e1955448d5711526ebe9574941a4b7e53f8

SHA512
12bd583ef63af554ba2dc9a3e3d5b42032c61db7c92b30e41cde219a931edcdc5fb43c882571fe27384fda8031cbe891b4e41ddc7cac010891009ef89f703d24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovlqcqby.ekj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dist13142.exe

Filesize
2.0MB

MD5
f4c83004d10430c3e6f804a35e5dbddb

SHA1
44b3bf37ea04bbab6b6e73d53b5f48fe106dc122

SHA256
db55c785a9e77ab1cfe35f5994fc3ddc46191f6c1f612caab23876489ee44ff4

SHA512
9c7b038c42611b40173ec744fc2e773b6262a947511832f08f1158528cf03f0bc838eeb567a2e2ca2f59cfbdf438415b7fa7b1fc5580aa3ad9a04bf7def063a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
1KB

MD5
44fbd57f1639bffc195da413db32116c

SHA1
b38b853b98b87fbcfdb98fa0835bc0e10eca5ec3

SHA256
140ee95e36a0a2b0ef838d5e1ee986db20222b7176e603da05f8c0f85fde0c7e

SHA512
74eec474e72d0379ad66543d3d0276cc8e91270de8eee08fdd5e3ca9fc6444bf14729817c6ccc9711c1dad6c6eb213ee0e86cee83fd5e37536002fee928c04b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\wsduilib.log

Filesize
54KB

MD5
113730d8c6f44cd71d848e3a634dc7dc

SHA1
692c559b1d06c21d0d464ad079e9914bb81441e6

SHA256
1f56290a8cec3a926a1f1c81366f27f692af238f4058498d38271993a43e62aa

SHA512
03f406dfa47c8a5356d4d1d1d3d53f4ea9d2d5442a2f378926daecd2bba468501bb03a9ca0b083ae987c87bdd6792d0d0fc1b0b322db18884561ff81bf892934

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe

Filesize
7KB

MD5
27cfb3990872caa5930fa69d57aefe7b

SHA1
5e1c80d61e8db0cdc0c9b9fa3b2e36d156d45f8f

SHA256
43881549228975c7506b050bce4d9b671412d3cdc08c7516c9dbbb7f50c25146

SHA512
a1509024872c99c1cf63f42d9f3c5f063afde4e9490c21611551ddd2322d136ce9240256113c525305346cf7b66ccca84c3df67637c8fecbfeebf14ffa373a2a

Download Submit
C:\Users\Public\Documents\Wondershare\NFWCHK.exe.config

Filesize
223B

MD5
5babf2a106c883a8e216f768db99ad51

SHA1
f39e84a226dbf563ba983c6f352e68d561523c8e

SHA256
9e676a617eb0d0535ac05a67c0ae0c0e12d4e998ab55ac786a031bfc25e28300

SHA512
d4596b0aafe03673083eef12f01413b139940269255d10256cf535853225348752499325a5def803fa1189e639f4a2966a0fbb18e32fe8d27e11c81c9e19a0bb

Download Submit
memory/4576-1181-0x000000001C1D0000-0x000000001C219000-memory.dmp

Filesize
292KB

Download
memory/4576-1184-0x000000001CD40000-0x000000001CDDC000-memory.dmp

Filesize
624KB

Download
memory/4576-1186-0x000000001D120000-0x000000001D15E000-memory.dmp

Filesize
248KB

Download
memory/4576-1185-0x0000000001550000-0x0000000001558000-memory.dmp

Filesize
32KB

Download
memory/4576-1183-0x000000001C7D0000-0x000000001CC9E000-memory.dmp

Filesize
4.8MB

Download
memory/4576-1182-0x000000001C290000-0x000000001C2F2000-memory.dmp

Filesize
392KB

Download
memory/4576-1177-0x0000000001350000-0x0000000001374000-memory.dmp

Filesize
144KB

Download
memory/4576-1178-0x00000000013A0000-0x00000000013B8000-memory.dmp

Filesize
96KB

Download
memory/4576-1179-0x00000000013E0000-0x0000000001400000-memory.dmp

Filesize
128KB

Download
memory/4576-1180-0x000000001BAC0000-0x000000001BDCE000-memory.dmp

Filesize
3.1MB

Download
memory/4992-0-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

Filesize
8KB

Download
memory/4992-11-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

Filesize
10.8MB

Download
memory/4992-12-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

Filesize
10.8MB

Download
memory/4992-23-0x000002CFAD450000-0x000002CFAD4E4000-memory.dmp

Filesize
592KB

Download
memory/4992-1166-0x00007FFBC4240000-0x00007FFBC4D01000-memory.dmp

Filesize
10.8MB

Download
memory/4992-1165-0x00007FFBC4243000-0x00007FFBC4245000-memory.dmp

Filesize
8KB

Download
memory/4992-6-0x000002CFACC70000-0x000002CFACC92000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing