Analysis

  • max time kernel
    48s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v200722
  • submitted
    21-10-2020 10:02

General

  • Target

    INVOICE#0108.jar

  • Size

    68KB

  • MD5

    eeb9a3c4cc1fd0e95ff4184a50eb49d9

  • SHA1

    8445135ef24533a22270fd15d9a9e767c43168e6

  • SHA256

    6b9c4f7252046dbdc98d8eb537bdc776b1e35040b86c1dc1927c2e6bdd7e6c0d

  • SHA512

    8533d4d2ef1fbcf7df5c452f613606df19a6271a54c4114809c3dfb21a0900e9d58474ba39da63b4bbd7aec4ed15279b81a3fcf538560e8e6bcc92781866ebcd

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#0108.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c8b89dda.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1940-169-0x000003DE75FC0000-0x000003DE75FC1000-memory.dmp

    Filesize

    4KB