Analysis
-
max time kernel
48s -
max time network
114s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
21-10-2020 10:02
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE#0108.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE#0108.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
INVOICE#0108.jar
-
Size
68KB
-
MD5
eeb9a3c4cc1fd0e95ff4184a50eb49d9
-
SHA1
8445135ef24533a22270fd15d9a9e767c43168e6
-
SHA256
6b9c4f7252046dbdc98d8eb537bdc776b1e35040b86c1dc1927c2e6bdd7e6c0d
-
SHA512
8533d4d2ef1fbcf7df5c452f613606df19a6271a54c4114809c3dfb21a0900e9d58474ba39da63b4bbd7aec4ed15279b81a3fcf538560e8e6bcc92781866ebcd
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 1940 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad49-168.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1940 node.exe 1940 node.exe 1940 node.exe 1940 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 532 wrote to memory of 2856 532 java.exe 75 PID 532 wrote to memory of 2856 532 java.exe 75 PID 2856 wrote to memory of 1940 2856 javaw.exe 77 PID 2856 wrote to memory of 1940 2856 javaw.exe 77
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#0108.jar1⤵
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c8b89dda.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1940
-
-