Loading ...

Play interactive tourEdit tour

Windows Analysis Report kPfPqPFeXy

Overview

General Information

Sample Name:kPfPqPFeXy (renamed file extension from none to dll)
Analysis ID:556266
MD5:a407ff2f606842396cfe89c9dd4aa631
SHA1:d4611f2995c39674e1d47086b6c581844eeb7075
SHA256:a1413ef584a3952457bb220ac077c2caa7f6a485cfdf225dca13dd2758bb907a
Infos:

Most interesting Screenshot:

Detection

Jupyter
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Yara detected Jupyter backdoor
Multi AV Scanner detection for submitted file
Sigma detected: Suspicious Call by Ordinal
C2 URLs / IPs found in malware configuration
Creates a DirectInput object (often for capturing keystrokes)
Uses 32bit PE files
Sample file is different than original file name gathered from version info
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • loaddll32.exe (PID: 4244 cmdline: loaddll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll" MD5: 7DEB5DB86C0AC789123DEC286286B938)
    • cmd.exe (PID: 6328 cmdline: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • rundll32.exe (PID: 5596 cmdline: rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D)
  • cleanup

Malware Configuration

Threatname: Jupyter Backdoor

{"Version": "SP-W3", "C2 url": "http://104.223.123.7"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
kPfPqPFeXy.dllJoeSecurity_JupyterYara detected Jupyter backdoorJoe Security

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Call by OrdinalShow sources
    Source: Process startedAuthor: Florian Roth: Data: Command: rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1, CommandLine: rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\rundll32.exe, NewProcessName: C:\Windows\SysWOW64\rundll32.exe, OriginalFileName: C:\Windows\SysWOW64\rundll32.exe, ParentCommandLine: cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6328, ProcessCommandLine: rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1, ProcessId: 5596

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Antivirus / Scanner detection for submitted sampleShow sources
    Source: kPfPqPFeXy.dllAvira: detected
    Found malware configurationShow sources
    Source: kPfPqPFeXy.dllMalware Configuration Extractor: Jupyter Backdoor {"Version": "SP-W3", "C2 url": "http://104.223.123.7"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: kPfPqPFeXy.dllVirustotal: Detection: 38%Perma Link
    Source: kPfPqPFeXy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: kPfPqPFeXy.dllStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: http://104.223.123.7
    Source: kPfPqPFeXy.dllString found in binary or memory: http://104.223.123.7
    Source: loaddll32.exe, 00000000.00000002.674727399.0000000000BEB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

    System Summary:

    barindex
    Source: kPfPqPFeXy.dllStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, DLL
    Source: kPfPqPFeXy.dllBinary or memory string: OriginalFilename3e9be9f5-4827-4aa5-a374-4d6d08933671.dll4 vs kPfPqPFeXy.dll
    Source: kPfPqPFeXy.dllVirustotal: Detection: 38%
    Source: kPfPqPFeXy.dllStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Windows\System32\loaddll32.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: classification engineClassification label: mal80.troj.winDLL@5/0@0/0
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1
    Source: unknownProcess created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll"
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1
    Source: C:\Windows\System32\loaddll32.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1Jump to behavior
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1Jump to behavior
    Source: kPfPqPFeXy.dllStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: kPfPqPFeXy.dllStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\System32\loaddll32.exeThread delayed: delay time: 120000Jump to behavior
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\kPfPqPFeXy.dll",#1Jump to behavior

    Stealing of Sensitive Information:

    barindex
    Yara detected Jupyter backdoorShow sources
    Source: Yara matchFile source: kPfPqPFeXy.dll, type: SAMPLE

    Remote Access Functionality:

    barindex
    Yara detected Jupyter backdoorShow sources
    Source: Yara matchFile source: kPfPqPFeXy.dll, type: SAMPLE

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection11Rundll321Input Capture1Virtualization/Sandbox Evasion1Remote ServicesInput Capture1Exfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion1LSASS MemorySystem Information Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Process Injection11Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet
    behaviorgraph top1 signatures2 2 Behavior Graph ID: 556266 Sample: kPfPqPFeXy Startdate: 19/01/2022 Architecture: WINDOWS Score: 80 13 Found malware configuration 2->13 15 Antivirus / Scanner detection for submitted sample 2->15 17 Multi AV Scanner detection for submitted file 2->17 19 3 other signatures 2->19 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        process5 11 rundll32.exe 9->11         started       

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.