Analysis
-
max time kernel
60s -
max time network
70s -
platform
windows10_x64 -
resource
win10 -
submitted
16-10-2020 13:40
Static task
static1
Behavioral task
behavioral1
Sample
parcel details & receipt.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
parcel details & receipt.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
parcel details & receipt.jar
-
Size
132KB
-
MD5
e7fa5be9d4d2e0f419ba590082059cc8
-
SHA1
ee4966019ee4482c090f39cf4fa439d8e38a7791
-
SHA256
83b429ee91de0bf888c9bdbc25031caa153f90522310b7742843e7dc7abb3859
-
SHA512
c3037cdc5c91ec126f359b337565820502eba72d5d702d0711984809a4f2bf4ce33de606d9bcb2eb996f73df1676262df41e0af8a28533969409049a294028cd
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 3672 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad87-168.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3672 node.exe 3672 node.exe 3672 node.exe 3672 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3536 wrote to memory of 2120 3536 java.exe 76 PID 3536 wrote to memory of 2120 3536 java.exe 76 PID 2120 wrote to memory of 3672 2120 javaw.exe 78 PID 2120 wrote to memory of 3672 2120 javaw.exe 78
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\parcel details & receipt.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3536 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\07f71e5a.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain zompast.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3672
-
-