# Tracking Jupyter Malware **[security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html](https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html)** Luke Acha *Updated March 10, 2022 (Detection rules for new variant observed March 2022.) I have had the opportunity to track the .NET Backdoor, dubbed by Morphisec as Jupyter Infostealer A.K.A Solarmarker I was excited to see this writeup since this was a malware family that myself and other [researchers on twitter were discussing for a couple weeks prior to the Morphisec article,](https://twitter.com/killamjr/status/1316556766017183747) before there was an attributed name to the malware. This was in October, and we were all sharing some bits of information we had on this, since that time I have also been using custom YARA signatures to perform live hunts and retro-hunts in VirusTotal to continue to keep up on this malware. [Recently I had seen Red Canary wrote up about this, dubbing it Yellow Cockatoo. Again, I](https://redcanary.com/blog/yellow-cockatoo/) was very excited to see some more attention being paid to this malware, I enjoyed both the writeups. Red Canary and Morphisec provided excellent information! Since I've been tracking this for sometime, and commenting on all new samples I see uploaded to VirusTotal, I figured I would provide some perspective that I have on this malware as well. First, the initial access. Red Canary does correctly point out that there is redirecting of search engine queries, to dig a bit deeper, it appears that this is being done by abusing legit sites such as sites.google.com and cdn.shopify.com. The following image is a recent (as of this writing) sample uploaded to VirusTotal. Take note of 3 things. The first being the file name, the second being the file size, and finally the 3rd item being the Icon which appears to mimic a Word Document. ----- In the next screenshot we can see potentially where a users search criteria may lead to this malware. Note: I have seen this also on various sites.google.com pages as well with earlier samples. So, what happens when we go to this link which may potentially lead to the malware? ----- Now this is interesting right! OK, so when I click on the PDF download, I watched the Address Bar redirect several times until I was able to get the final malware. Look at the following screenshots! ----- ----- ----- What is really interesting is how quickly this 100MB+ file actually downloads! Why is this you ask? It's because the file appears to be heavily padded (older samples were padded with NULL Bytes, this latest one is padded with repeating garbage bytes 99 21 C1 FA A3 71 38 9B). Even more interesting is that the malware seems to perform a filesize check, so that if an analyst attempts to alter the size the malware errors out. If I remove even 1 byte, it errors, if I add even 1 byte, it errors.... but... if I just flip a bunch of the NULL Bytes and the file size remains the same, it works fine. Below are acouple interesting screenshots of the padding and the import of GetFileSize which might be used to see if the file was altered (ie. padding removed). NOTE: The April 2021 variant appears to have dropped much of the padding, **file sizes are now 16-17MB** ----- At this point, I feel we have a good sense of the initial vector for this. We know a lot based on the Red Canary and Morphisec write-ups, we know that the malware drops and launches a legit program as a red herring in this case Soda PDF, we also know that it drops 2 .txt files in appdata\local\temp, which are really powershell files. The first one decodes the second one, then they delete themselves. This is because they create persistence in the form of a .cmd file (which launches powershell) it also drops a larger file which is a heavily encoded file that is decoded from the .cmd file. ----- Two other interesting things happen during all of this.... 1, the powershell process connects to the C2 per the loaded DLL and even more interesting is that is modifies existing desktop LNK files (shortcuts), keeping the original launch string and then adds an operator to also launch the .CMD file! ----- That's Right! My PEStudio still launches.... along with the malware! OK, so for a little bit of fun, I'll quickly go over how you can easily decode this malware and extract the malicious DLL. First, we modify the .CMD file a bit, comment out or remove the [system.reflection.......] line, and remove everything before (and including) the bracket {. Save the file as .ps1 for ease. Next, we put in a line "Write-Output(Variable being loaded from system.reflection) | Out-File "c:\....." ----- At this point, this is simple encoding. I've been using CyberChef "From CharCode", Delimiter "Line Feed" "Base 10" to quickly get the DLL at this point. ----- Hopefully this helps provide some additional details on this malware, below are the IOCs for this specific example. Happy Hunting! IOCs From initial writing: Initial Executable: da2eb36e763ecf1a47532e9f8efeacb7 Malicious DLL: 147666fdb5f64f46a0a0add2cc428ec8 C2: 91.241.19[.]110 Observed Redirect Domains: dyrepopo[.]gq feedsterbomiditsign[.]tk listlypdilaho[.]tk callnogrenisso[.]tk selldunlop[.]site spherdoorgfinversbrookin[.]tk tioblutrockbarneyprec[.]tk thiecorbeluno[.]tk **VT Enterprise Hunting Tactics** Icon Hash searching: PDF page that holds embeeded links to series of redirects: **main_icon_dhash:94148c3333001100** PDF page that holds embeeded links to series of redirects: **main_icon_dhash:94228c3333001100** PDF page that holds embeeded links to series of redirects: **main_icon_dhash:0f0f0307332f3f19** Fake Word Document Icon Hash for dropper file: main_icon_dhash:64dcd4d2c4c4d0d4 Fake PDF Document Icon Hash for dropper file: main_icon_dhash:b2b29696969ef66a ----- **size:100MB+** Fake PDF Document Icon Hash for dropper April 2021: **main_icon_dhash:b2b29696969ef66a** Fake PDF Document Icon Hash for dropper September 2021: **main_icon_dhash:64e4d4d4e8f4dcd4** March 2022 VirusTotal search for Dropper:entity:file tag:signed type:peexe size:250MB+ **size:270MB- packer:".NET executable"** **YARA Rules:** [SolarMarker March 2022 Malicious DLL Detection](https://github.com/securitymagic/yara/blob/main/Jupyter%20Malware/solarmarker_0322.yar) [SolarMarker 2021 DLL Detection](https://github.com/securitymagic/yara/tree/main/Jupyter%20Malware) [Suspicious_Powershell_Strings](https://github.com/securitymagic/yara/blob/main/Jupyter%20Malware/JupyterPS.yar) **OpenIOC Rules:** [Solarmarker.dat File Creation (OpenIOC)](https://github.com/securitymagic/openioc/blob/main/File_Actions/Jupyter_File_Created) [Suspicious_Porcesses_Writing_to_Startup (OpenIOC)](https://github.com/securitymagic/openioc/blob/main/File_Actions/Suspicious_Startup_Written.ioc) **SIGMA Rules:** [Solarmarker.dat File Creation (SIGMA)](https://github.com/securitymagic/sigma/blob/main/Jupyter_File_Drop.yml) [Suspicious_Porcesses_Writing_to_Startup (SIGMA)](https://github.com/securitymagic/sigma/blob/main/suspicious_startup_creation.yml) **Updates:** **07/29/2021:** **https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-** **back-again-part-two/** **Fantastic analysis of the malware by author Squiblydoo** **12/22/2020:** http://security5magics.blogspot.com/2020/12/december-22-2020-jupytermalware.html Observers an update in the Icon switching from Word to PDF. Also, Expert PDF being used as Red Herring installer. **01/06/2020: https://security5magics.blogspot.com/2021/01/jupyter-infostealer-update-** **january-2021.html** **Observes additional lures.** Pulled one of the initial files that gets deleted after running, along with the powershell script that decodes and runs it: [https://app.any.run/tasks/fcd6eeb7-91bb-4e1d-b02d-983bae3786ec#](https://app.any.run/tasks/fcd6eeb7-91bb-4e1d-b02d-983bae3786ec#) [March 2022 App.Any.Run sandbox run/](https://app.any.run/tasks/068fc802-1264-4925-9b72-e6fc91ae82ac/) **Example Observed Lures from google searches:** site:byzcath[.]org "free template" http://byzcath[.]org/nfl-playoff-bracket-excel-spreadsheet ----- site:www.braveheartmarine[.]com free template https://www.braveheartmarine[.]com/free-invoice-template-for-handyman site:prismic-io.s3.amazonaws[.]com "free template" https://prismic-io.s3.amazonaws[.]com/whatsimdb/0fe19bd3-88a8-4ab5-b451d78f1be51ef2_free-bbq-tickets-template-word.pdf site:cdn.shopify[.]com "free template" site:healingwithclarity.com "free template" https://healingwithclarity[.]com/platte-county-warrant-list.pdf site:strikinglycdn.com "free template" https://uploads.strikinglycdn[.]com/files/18aa0685-0e17-4ea4-b308-1a717e293267/freetemplate-for-waiver-of-liability.pdf -----