Overview

overview

10

Static

static

1

eb6bc8b129...3f.ps1

windows7-x64

10

eb6bc8b129...3f.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f.ps1

  • Size

    65KB

  • MD5

    12269047226f5871f1993084f95cf496

  • SHA1

    b1f37fc678807b17f19cce8e31d8fd254d52eea1

  • SHA256

    eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f

  • SHA512

    49be3c32c8feb9051c456195485d092d2ed448e70e29bfc9b673f87de81b5495c8dcaa51b3d0c4553d7f0fb42aaa00c81d7df7470db5444029d638968cdbcc5e

  • SSDEEP

    1536:TB/0A9qWmZeyDuI4SAtB6aDN8wLDscn4JTIBp53L2o6E:SzZTuI4p61aDsH2yo6E

Score
10/10
jupyterbackdoorexecutionstealertrojan

Malware Config

Extracted

Family

jupyter

Version

OC-12

C2

http://92.204.160.233

Signatures

  • Jupyter Backdoor/Client payload 1 IoCs
  • Jupyter family
    jupyter
  • Jupyter, SolarMarker

    Jupyter is a backdoor and infostealer first seen in mid 2020.

    backdoortrojanstealerjupyter
  • Drops startup file 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f.ps1
    1⤵
    • Drops startup file
    • Command and Scripting Interpreter: PowerShell
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvfend1p.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2580
      • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA880.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA87F.tmp"
        3⤵
          PID:1828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RESA880.tmp
      Filesize

      1KB

      MD5

      367387fa26fc0c84f6dea4c82a60f20f

      SHA1

      b96dced10d4dd0be8f568817688764bbb4fb2d75

      SHA256

      595e326626ddc339d6ab4c8652a23e6cd3737e5a632ca9243d840f36d333373f

      SHA512

      23f5c876eec69d8152c493d388ea1778ff983851c2aba1e11d65a9e0a21b1b6dbc4705f3b11545c9b4cc2551398f2d21b63eb1b6cd970a3f2164f0b53db147df

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bvfend1p.dll
      Filesize

      3KB

      MD5

      c1d07651660a0715b8e2acab24c836de

      SHA1

      02d89574ac5f5370a938a5a364b278b4df6b2cc5

      SHA256

      496b29438bcd2157e862ef9922ef4b27c8bc2a43fed6b2cba23c67a07ee95e37

      SHA512

      005102c951af594b8a797e41c818a3cbe9e884d37ae4c01928236d8eee8e184cd3b3321cdf058e01fd813309b92f5c60a17776212026a5d3f88af03ccfd99aea

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\bvfend1p.pdb
      Filesize

      7KB

      MD5

      ca334338ad07221800943673c0b96251

      SHA1

      e4d609d55fdc6ef2d4ab2a4bb8b3c24e0e98a974

      SHA256

      42662f8f1ae605bb326bf5d82a11494c5abfb272d98afab3b6177396b2932515

      SHA512

      dc8758cb262ac179bd7a429bb55bad02ab8ef30b0448e6cce360dd1cc929ea51141ec2856682a28d1fad814c0219070b6f12b5cd934bcab6a971dcbf9dd26e8b

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA87F.tmp
      Filesize

      652B

      MD5

      a7169468bcf1c51941ca07a562cdcfda

      SHA1

      03457ef9e8de95b84d4dde43a94b1c93585a5c33

      SHA256

      836fe660f830969bf32d20c0e9c6546e4af7be1d0d20672f9106c053558f1724

      SHA512

      abf6439c566aff60775ebd209cedd279ba8598859598416a339b1341dc6e0d5ac6745d28d83d63c03eb20bc369dec037087e49ef9296bb90958b65412bc7b179

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\bvfend1p.0.cs
      Filesize

      236B

      MD5

      d4b917080b8fb08a3b868465e8fe7841

      SHA1

      3e14b90f9e1d314fa7c98b57599a4475cad63ee5

      SHA256

      f82e63bed7f49d98d714988dd56018798a332ab6a41c142c6fdfa357c2038b68

      SHA512

      6d6a9b3ab3c9ab0d7e249472b50ddc022720a6f1a26c70c37689cbbdce43ec5f8280f24804cbb75e4c06c279b1418cf4a6ccbccd0de6873d94c7b723899654a2

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\bvfend1p.cmdline
      Filesize

      309B

      MD5

      1924afd378e58ae2161557819d5a31e7

      SHA1

      17dc7f4eb4ac981978cd1e92a9b9b0131e62cc81

      SHA256

      9f29875a963eb33199fd2ba09c65f30ae723d980a57a308a720d9133567c09d7

      SHA512

      a397c47c6419d2d43c2b813e25d525f51418bd1257ea929c9ee122424f29f6c869415662d63838c90959042840c426eeebfbbefb39dc9e218c4fb44ffbdd6056

      Download Submit

    • memory/2204-10-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-144-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-4-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2204-9-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-8-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-240-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-6-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-239-0x000000001BC00000-0x000000001BC12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2204-27-0x000000001B550000-0x000000001B558000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-7-0x00000000028F0000-0x00000000028F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2204-5-0x000000001B610000-0x000000001B8F2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2204-125-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-124-0x000007FEF5E0E000-0x000007FEF5E0F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2204-11-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-146-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-158-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2204-197-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2580-25-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2580-20-0x000007FEF5B50000-0x000007FEF64ED000-memory.dmp

      Filesize

      9.6MB

      Download