Analysis
-
max time kernel
59s -
max time network
67s -
platform
windows10_x64 -
resource
win10 -
submitted
22-10-2020 11:55
Static task
static1
Behavioral task
behavioral1
Sample
Image_00766433873_JPEG.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Image_00766433873_JPEG.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Image_00766433873_JPEG.jar
-
Size
69KB
-
MD5
38af657b78fbe7972d6056129a9ff437
-
SHA1
af3f1cdddfc251308ec0c627a95e088962a40c05
-
SHA256
bfe596c9e91ff1f739cf53faf5996504addb964a7cbfd3823040f9f2acf36185
-
SHA512
632638d1646be5e5a6cbf85d564bb52820706e25d673a3548b62b65181c6af4be0df39adf2fb8e97d0238c274dc47ec0246f6da36142314197c1a1108e5e0846
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 1200 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001adb4-171.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3104 wrote to memory of 2136 3104 java.exe 74 PID 3104 wrote to memory of 2136 3104 java.exe 74 PID 2136 wrote to memory of 1200 2136 javaw.exe 78 PID 2136 wrote to memory of 1200 2136 javaw.exe 78
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Image_00766433873_JPEG.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\ed0cb17b.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums330.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1200
-
-