Analysis

  • max time kernel
    108s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    13-10-2020 05:17

General

  • Target

    PROPERTY DESIGNS.jar

  • Size

    463KB

  • MD5

    40e02d493aca746150f7c1b93b6d3ec7

  • SHA1

    59c16f093953ec650f8d40abddf42fa1a8c5576e

  • SHA256

    e2af2abfd29faf04991e4106528a65260c8173c06b756c124399ee955bec08c1

  • SHA512

    f7be6768ae7f772f4455e423f766fdbd80ed9a628be15dfae05e78a5d91790a2922838c15f9cf185bb58d3bf29e8e248c5fb0e8c909e9cd311b1c690908494db

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • JavaScript code in executable 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\PROPERTY DESIGNS.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7c653b37.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain localhost --hub-domain wgloomlozs.hopto.org
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js --hub-domain localhost --hub-domain wgloomlozs.hopto.org
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3268
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js --hub-domain localhost --hub-domain wgloomlozs.hopto.org
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                7⤵
                • Adds Run key to start application
                PID:1296
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /F"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\system32\reg.exe
                REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /F
                7⤵
                  PID:2628

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

      MD5

      d41d8cd98f00b204e9800998ecf8427e

      SHA1

      da39a3ee5e6b4b0d3255bfef95601890afd80709

      SHA256

      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

      SHA512

      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    • C:\Users\Admin\AppData\Local\Temp\7c653b37.tmp

      MD5

      40e02d493aca746150f7c1b93b6d3ec7

      SHA1

      59c16f093953ec650f8d40abddf42fa1a8c5576e

      SHA256

      e2af2abfd29faf04991e4106528a65260c8173c06b756c124399ee955bec08c1

      SHA512

      f7be6768ae7f772f4455e423f766fdbd80ed9a628be15dfae05e78a5d91790a2922838c15f9cf185bb58d3bf29e8e248c5fb0e8c909e9cd311b1c690908494db

    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js

      MD5

      3859487feb5152e9d1afc4f8cd320608

      SHA1

      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

      SHA256

      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

      SHA512

      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

      MD5

      f0b11a5823c45fc2664e116dc0323bcb

      SHA1

      612339040c1f927ec62186cd5012f4bb9c53c1b9

      SHA256

      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

      SHA512

      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

      MD5

      f0b11a5823c45fc2664e116dc0323bcb

      SHA1

      612339040c1f927ec62186cd5012f4bb9c53c1b9

      SHA256

      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

      SHA512

      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

      MD5

      f0b11a5823c45fc2664e116dc0323bcb

      SHA1

      612339040c1f927ec62186cd5012f4bb9c53c1b9

      SHA256

      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

      SHA512

      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

    • \Users\Admin\AppData\Local\Temp\1188-17a42ad825eb1bc3.node

      MD5

      f1c9cde23537dc338fb765f2c125f994

      SHA1

      6f290977d6e0666c4798b4bc17f640a18598a772

      SHA256

      8f73b3d91365fc1a09da9e8029a47f8ad5dd24d0dab03b01cd50de5806c8fb6b

      SHA512

      1bbdd3e50d4bcd09ca8e107596497ff3b20d82d728d485ca6eb1ee8660de0c3f4fe24dcc1657f2f59bc4f99fa2ddd525a0446eaed7999ed23b34fe8963750307

    • \Users\Admin\AppData\Local\Temp\1188-369b0ad7a9be82d3.node

      MD5

      911a4b53a8ffd6e01c0196c682f06a49

      SHA1

      5d0a4de0f72eede786da60fe49620e27b35d388d

      SHA256

      f39651fc570f90b0c01655c61c80c3956c6f6c54df5aa8e0aae626f2cb718008

      SHA512

      f2081eb8821f8289fdb1e907073a58381212af4872a6759c55f73667eba532bccea1e9f5695a31680708bf62e1b6da08f9e6bb21e1fec9db08ae81db57a9e6ea

    • \Users\Admin\AppData\Local\Temp\1188-4587c35f1285a35f.node

      MD5

      87f2661da9a09dc36a1e39b53692e172

      SHA1

      fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f

      SHA256

      7d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea

      SHA512

      7187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713

    • \Users\Admin\AppData\Local\Temp\1188-78ad011080742590.node

      MD5

      df45601340083518d8bcc10ec848460b

      SHA1

      8613d6ab3040d57d241ed4a466c1fffb1b12455b

      SHA256

      eebfd03defaa0965393ebde5cd45a982dda75c82d5205a702f88deec660723ed

      SHA512

      0e1e14dd82119dc822dccc4da4d64cce62a7796ec1157defa97b4bc29d767d164e6ef65861448b24c4972cc3919bf1583518ba725757c0f96af47a942380cd41

    • \Users\Admin\AppData\Local\Temp\1188-98b08082c62305e6.node

      MD5

      ee6e80bab410c751c935e6175acf8b5c

      SHA1

      c44cad6425db5c9c86351f9f9f7b019b876db528

      SHA256

      dd3bd6107fb87be3c34985df2a8a0645fa7a89172d23ddb66fec64c3236a1af3

      SHA512

      c654c44cfe115a9c4f9eaf6ed4207511c17dc4eeb00441c2be6413d0a16c348fce0dcf282f2b9132948150e3541d248edd62b2e055a1cd902f80b9a67d2e1d77

    • \Users\Admin\AppData\Local\Temp\1188-e60b063fc8833b6a.node

      MD5

      2e20508eac344dfead52bdc25b73a7fb

      SHA1

      c2918d63d3c0f14dce0552530ef0793f3a76bfa7

      SHA256

      500e8c83a3d455c26d20fb32e02c26a47a6c7fa906ce2c0491729b731906ac98

      SHA512

      25f8c95eb38a39e7ea60145e598f8e00b3b4c61f9ef6ae1689d3be16da7bd7c0d57a55d0d06a8402af694be880408ca6ef01829b79d9768d09967db5e3a2b8de

    • memory/1164-171-0x000002ED10E80000-0x000002ED10E81000-memory.dmp

      Filesize

      4KB

    • memory/1164-167-0x0000000000000000-mapping.dmp

    • memory/1188-178-0x000003B408D80000-0x000003B408D81000-memory.dmp

      Filesize

      4KB

    • memory/1188-176-0x0000000000000000-mapping.dmp

    • memory/1296-180-0x0000000000000000-mapping.dmp

    • memory/1776-50-0x0000000000000000-mapping.dmp

    • memory/2308-179-0x0000000000000000-mapping.dmp

    • memory/2628-188-0x0000000000000000-mapping.dmp

    • memory/2756-187-0x0000000000000000-mapping.dmp

    • memory/3268-174-0x000002D1D7D80000-0x000002D1D7D81000-memory.dmp

      Filesize

      4KB

    • memory/3268-172-0x0000000000000000-mapping.dmp