Analysis
-
max time kernel
95s -
max time network
159s -
platform
windows10_x64 -
resource
win10 -
submitted
22-10-2020 17:43
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE 0106.jar
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE 0106.jar
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
INVOICE 0106.jar
-
Size
67KB
-
MD5
eb45fee306ba42379381f385e1d13017
-
SHA1
253620166cdb27495464f9c03a9184d8cfe19dd3
-
SHA256
0806f7d22f9bfbe523f1dd102087fd0dc0dd8fdaad397c6f3986b9b30e1ecd9d
-
SHA512
e30a4716f0050df82d7bf5143c6f982421ffe424c6b3ec8282879c06522976c07e4048ddbddb140aee13cf8166703079be4040378827f00be996de617a8380ae
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2996 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ada4-172.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2996 node.exe 2996 node.exe 2996 node.exe 2996 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3524 wrote to memory of 3932 3524 java.exe 76 PID 3524 wrote to memory of 3932 3524 java.exe 76 PID 3932 wrote to memory of 2996 3932 javaw.exe 78 PID 3932 wrote to memory of 2996 3932 javaw.exe 78
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\INVOICE 0106.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\270d5de4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2996
-
-