Analysis
-
max time kernel
26s -
max time network
112s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-10-2020 00:44
Static task
static1
Behavioral task
behavioral1
Sample
f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar
-
Size
209KB
-
MD5
369eb059f2b5b98c7b42e14fad64c2a7
-
SHA1
84c74b6512664d339f7f49a5368f9a6fdf6025e4
-
SHA256
f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55
-
SHA512
8cccf82be1dd1fc9b4375c1c066f077b5433fa82d03bc46c90a5ae1b348b1c5deab9ea45313720f222a45316751189ea887c526d30cf80188f74db76771093bb
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 3588 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad6d-159.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3588 node.exe 3588 node.exe 3588 node.exe 3588 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3900 wrote to memory of 3388 3900 java.exe 73 PID 3900 wrote to memory of 3388 3900 java.exe 73 PID 3388 wrote to memory of 3588 3388 javaw.exe 77 PID 3388 wrote to memory of 3588 3388 javaw.exe 77
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c469b9c0.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3388 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain karimrnosa2.home-webserver.de3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3588
-
-