Analysis

  • max time kernel
    39s
  • max time network
    70s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    16-10-2020 18:59

General

  • Target

    NewOrder01620202.jar

  • Size

    261KB

  • MD5

    f8b9911f31c3d8554ff1859299d016d3

  • SHA1

    43217fbd7359a334d901a67a39bf4b4d7d34ddfe

  • SHA256

    59564ac8d8fde645901bda68dd8589c797b55fde0992f032b7df3529a1456e61

  • SHA512

    46f2af9cbb99191adaa7fd2859e8dd3dc6ff44751d4d37486c1d227b72d320a112939b8b5fc61ad011303a9f4d6d55a4838b6d9e36b4f54f93a4ab0701c4b2f2

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\NewOrder01620202.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\da6cc72e.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qhub55.duckdns.org
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3640-167-0x00000304F3640000-0x00000304F3641000-memory.dmp

    Filesize

    4KB