Analysis
-
max time kernel
39s -
max time network
70s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-10-2020 18:59
Static task
static1
Behavioral task
behavioral1
Sample
NewOrder01620202.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
NewOrder01620202.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
NewOrder01620202.jar
-
Size
261KB
-
MD5
f8b9911f31c3d8554ff1859299d016d3
-
SHA1
43217fbd7359a334d901a67a39bf4b4d7d34ddfe
-
SHA256
59564ac8d8fde645901bda68dd8589c797b55fde0992f032b7df3529a1456e61
-
SHA512
46f2af9cbb99191adaa7fd2859e8dd3dc6ff44751d4d37486c1d227b72d320a112939b8b5fc61ad011303a9f4d6d55a4838b6d9e36b4f54f93a4ab0701c4b2f2
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 3640 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad45-165.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3640 node.exe 3640 node.exe 3640 node.exe 3640 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 728 wrote to memory of 2840 728 java.exe 74 PID 728 wrote to memory of 2840 728 java.exe 74 PID 2840 wrote to memory of 3640 2840 javaw.exe 78 PID 2840 wrote to memory of 3640 2840 javaw.exe 78
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\NewOrder01620202.jar1⤵
- Suspicious use of WriteProcessMemory
PID:728 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\da6cc72e.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2840 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qhub55.duckdns.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3640
-
-