Analysis

  • max time kernel
    51s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    17-10-2020 06:34

General

  • Target

    IMG_Order1016.jar

  • Size

    204KB

  • MD5

    5879f6b47ee9f8f02f53a1f51abec06d

  • SHA1

    b54b62e1af1568983912f944ef01685cf2edb187

  • SHA256

    fa4a2bfbc569a10517a6f52078cb574bf4038178010b444511c3a57c3ad9132a

  • SHA512

    1e3d52948ec09cb8ca8fff4d9aa5db23ca0a22a7686f3cbda2a57537ec356ba948f33529fd6a513f450da4a508801d8fc43815fa6e8a60f48542da04f47c4bb6

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\IMG_Order1016.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3952
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\60a9e804.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1920
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qhub55.duckdns.org
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1156-162-0x00000197EF700000-0x00000197EF701000-memory.dmp

    Filesize

    4KB