Analysis

  • max time kernel
    128s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    21-10-2020 12:01

General

  • Target

    INVOICE _1106.jar

  • Size

    72KB

  • MD5

    52894a1b1f752949a63e53561f076d62

  • SHA1

    e05df8a4f5bc86a8f25cf4f20250cce1be5c251a

  • SHA256

    87b4f32c8efd777e1add156beb424abd9441e122c78e40ddf968b20824f1a0f1

  • SHA512

    309f1f89d325e12f55a72341bc62e19e75e6c820ea2c18a3b17687c44ef50750fc993a21dab8bf618531371b083a282be141230cde45e4a6e66c34674cd2f96b

Score
10/10

Malware Config

Signatures

  • QNodeService

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE 1 IoCs
  • JavaScript code in executable 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\INVOICE _1106.jar"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\fbcdc658.tmp
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2148-178-0x0000017A39500000-0x0000017A39501000-memory.dmp

    Filesize

    4KB