However, the previous version of the Jupyter DLL we analyzed opts to use a hardcoded domain, "vincentolifecom" in one case, rather than use the same hardcoded IP address as the stager component. Like the "d.m" DLL, this module sends information to its C2 server through HTTP POST requests, using a similarly encoded JSON stream containing additional system information and stolen data. Analysis of the DLL module, named "Jupyter," shows that it contains capabilities to steal personal information, credentials, and form submission values from the victim's Firefox and Chrome installation and user directories.ĭecompiled source of one version of the Jupyter DLLs. NET DLL, which was also injected through. This new PowerShell script contains a base64-encoded. After reversing the base64 and XOR encoding, it writes this byte stream to a PS1 file on disk, runs it, and subsequently deletes the file. Responses from the C2 are encoded in the same manner as the JSON object containing the victim's system information. During the execution of many of the Solarmarker samples, we observed the C2 sending an additional PS1 payload to the victim host. The Jupyter information stealer is Solarmarker's second most-dropped module.
![pdfsam installer malware pdfsam installer malware](https://justkeygen.com/wp-content/uploads/2020/07/Malwarebytes-Premium-3-Registration-Code-incl-License-Key-Full-Version-1.jpg)
The stager also possesses the ability to remotely receive execution commands by dropping new PS1 or PE files onto the victim system at "\AppData\Local\Temp\" directory with a filename of 24 randomly generated alphanumeric characters and executing them either through PowerShell or process hollowing, or through directly receiving PowerShell text commands. This new byte array is then further encoded in base64 in preparation for transmission to a hardcoded C2 IP address - 45.135.232131 at the time in many of our samples - through HTTP POST requests. This object is subsequently encoded by XORing the byte array with a hardcoded key, similar to how the first stage PowerShell script constructed the malicious DLL. The newly created or existing string is then returned back as the value for the "hwid" field in a JSON object also containing fields for collected system information. It should be noted that some of the older variants of Solarmarker don't actually use this file for storing the victim ID and instead use varying forms of concatenating and encoding the collected system information strings. If it does not, a randomly generated 32-character string will be written to the file "solarmarker.dat" at that path. When the class method "GetHWID" is called, the sample checks if "solarmarker.dat" exists already on the host. One particularly interesting operation (as well as the namesake of the campaign) is the file write of "AppData\Roaming\solarmarker.dat," which serves as a victim host identification tag. The module "d.m" acts as a system profiler and staging ground for additional action by the actor. The "run" method of the contained module "d.m" is then called to complete the initial infection. The resulting binary blob is then decoded by XORing its byte array with a hardcoded key and injected into memory through reflective assembly loading. The TMP file executing process issues a PowerShell command that loads the content of the dropped PS1 script and runs it before deleting the loaded file. The malware extracts a number of files to the victim host's "AppData\Local\Temp" directory on execution, including a TMP file with the same name as the original downloaded file, and a PowerShell script file (PS1), from which the rest of the execution chain spawns. NET assembly named "d" and a single executing class named "m" (referred to jointly in this analysis as "d.m"). Within our observed data, the stager is deployed as a. The staging component of Solarmarker serves as the central execution hub, facilitating initial communications with the C2 servers and enabling other malicious modules to be dropped onto the victim host. Information regarding coverage and defense are detailed at the end of this blog post. To provide a more comprehensive description of Solarmarker, we'll break down known and unreported modules.
![pdfsam installer malware pdfsam installer malware](https://support-enhanced.pdfsam.org/hc/article_attachments/360081772751/mceclip4.png)
Uran was previously undiscovered despite deep analysis on Solarmarker and the Jupyter module. Another secondary module, named "Uran" (likely in reference to Uranus), is a keylogger and was discovered on some of the older campaign infrastructure. The second component, commonly referred to as "Jupyter," was observed being injected by the stager and possesses browser form and other information-stealing capabilities. First, the initial malicious executable injects the primary component, typically named "d.m." This serves as a stager on the victim host for command and control (C2) communications and further malicious actions.