Resubmissions

05-06-2022 12:18

220605-pgyzjsaca9 4

19-10-2020 00:44

201019-1lrwtdmymj 10

Analysis

  • max time kernel
    26s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    19-10-2020 00:44

General

  • Target

    f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar

  • Size

    209KB

  • MD5

    369eb059f2b5b98c7b42e14fad64c2a7

  • SHA1

    84c74b6512664d339f7f49a5368f9a6fdf6025e4

  • SHA256

    f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55

  • SHA512

    8cccf82be1dd1fc9b4375c1c066f077b5433fa82d03bc46c90a5ae1b348b1c5deab9ea45313720f222a45316751189ea887c526d30cf80188f74db76771093bb

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\f80a0b2708893179f10771d1656875f67d6a9fba78ffcfe14485aae21b31dc55.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3900
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c469b9c0.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3388
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain karimrnosa2.home-webserver.de
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3588-160-0x0000021B72DC0000-0x0000021B72DC1000-memory.dmp

    Filesize

    4KB