Analysis
-
max time kernel
39s -
max time network
67s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
19-10-2020 18:25
Static task
static1
Behavioral task
behavioral1
Sample
DHL Parcel.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL Parcel.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL Parcel.jar
-
Size
78KB
-
MD5
921dee3f81d4f053499484de0f20d142
-
SHA1
e92d731f7885ec302f5efadd06cc7bc37f7fa81f
-
SHA256
e065c2db9a299198bb85800ae462703a54f7e63257c790ccdf32ea92da097365
-
SHA512
870417155054edf8fd2f985bac233b748210dfb818c0ad25ba2cd68b7e27c583d19cbab457608cf8af0e8b9fe75f5d5067138bd151e30ce42e57e668b1de22e4
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2616 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad43-165.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2616 node.exe 2616 node.exe 2616 node.exe 2616 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2096 wrote to memory of 2884 2096 java.exe 73 PID 2096 wrote to memory of 2884 2096 java.exe 73 PID 2884 wrote to memory of 2616 2884 javaw.exe 77 PID 2884 wrote to memory of 2616 2884 javaw.exe 77
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL Parcel.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\03622adc.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain severdops.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2616
-
-