Analysis
-
max time kernel
51s -
max time network
113s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
17-10-2020 06:34
Static task
static1
Behavioral task
behavioral1
Sample
IMG_Order1016.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
IMG_Order1016.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
IMG_Order1016.jar
-
Size
204KB
-
MD5
5879f6b47ee9f8f02f53a1f51abec06d
-
SHA1
b54b62e1af1568983912f944ef01685cf2edb187
-
SHA256
fa4a2bfbc569a10517a6f52078cb574bf4038178010b444511c3a57c3ad9132a
-
SHA512
1e3d52948ec09cb8ca8fff4d9aa5db23ca0a22a7686f3cbda2a57537ec356ba948f33529fd6a513f450da4a508801d8fc43815fa6e8a60f48542da04f47c4bb6
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 1156 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad3f-160.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1156 node.exe 1156 node.exe 1156 node.exe 1156 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3952 wrote to memory of 1920 3952 java.exe 76 PID 3952 wrote to memory of 1920 3952 java.exe 76 PID 1920 wrote to memory of 1156 1920 javaw.exe 77 PID 1920 wrote to memory of 1156 1920 javaw.exe 77
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\IMG_Order1016.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\60a9e804.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain qhub55.duckdns.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1156
-
-