December 22, 2020 Jupyter Malware observations

Just a quick update, I've been hunting this malware for a bit, you can see details on this malware on my previous post or the write-ups from Morphisec or Red Canary.

Today, using the same methodology I typically use, I did a google hunt. (site:cdn.shopify.com "free-tempalte"). This often yields some results, it used to get more live results from (site:sites.google.com), but those seem to be dead lately.

Quickly I found one called "Hole in One Certificate Template Free"

hxxps://cdn[.]shopify[.]com/s/files/1/0499/5570/0887/files/hole-in-one-certificate-template-free[.]pdf?v=1602361119

I notice a lot of these, maybe all of them have the pdf?v=[0-9] pattern. This may be normal for PDFs hosted here though.

I was hoping to find some new samples, many I've found lately were leading to the same EXE, incidently, the same DLL and C2.

Today however, I found a new sample. It mostly runs the same, however, this time the Icon Hash is no longer mimicing WinWord, it is mimicing an Adobe PDF Icon. It still utilizes the padding to pump up the file size, and still drops obfuscated powershell and the solarmarker.dat file. So with that, here are the most recent indicators and hunting techniques.

C2:195.54.161[.]83

Domains/Redirects:

porcheddie[.]site
leholmudicatu[.]tk
noetopespeti[.]tk
xanagungeantwerra[.]tk
pubpipetekbio[.]tk
tracesnovmusi[.]tk
alunflirastu[.]tk
anewexca[.]gq
diromgfx[.]com

VT Hunting:

main_icon_dhash:b2b29696969ef66a
signature:"Ahkaawari Conisumi Jp. Ltd.                                 "
main_icon_dhash:943a8c3333001100

Hashes:

64e378a0aebee41c5a438694fccc6188
f5f0ddaaa5eb7bfe910fd6f6f57c2ae3

Sample: https://www.virustotal.com/gui/file/93d061f325a54ce5bd6ac9ced7b3c8b36514a8fe5068cce94b33494a971556ef

Interesting Strings From HTM Redirect:

Soft+ware+to++unble+

eval(function(h,u,n,t,e,r)

decodeURIComponent(escape(r)

Comments