Analysis

  • max time kernel
    39s
  • max time network
    67s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    19-10-2020 18:25

General

  • Target

    DHL Parcel.jar

  • Size

    78KB

  • MD5

    921dee3f81d4f053499484de0f20d142

  • SHA1

    e92d731f7885ec302f5efadd06cc7bc37f7fa81f

  • SHA256

    e065c2db9a299198bb85800ae462703a54f7e63257c790ccdf32ea92da097365

  • SHA512

    870417155054edf8fd2f985bac233b748210dfb818c0ad25ba2cd68b7e27c583d19cbab457608cf8af0e8b9fe75f5d5067138bd151e30ce42e57e668b1de22e4

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\DHL Parcel.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\03622adc.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2884
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain severdops.ddns.net
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2616-166-0x0000009D413C0000-0x0000009D413C1000-memory.dmp

    Filesize

    4KB