Analysis
-
max time kernel
28s -
max time network
111s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
23-10-2020 12:17
Static task
static1
Behavioral task
behavioral1
Sample
Shipping documents.jar
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Shipping documents.jar
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
Shipping documents.jar
-
Size
72KB
-
MD5
0e274414e008ee3e555e296593012828
-
SHA1
98e64ec5869c19641dac93541e1355030fe2a68f
-
SHA256
59b1bfedcb58180036edfa10e515f72204d88fbcf456059907b93043b3f6ae40
-
SHA512
f430701dcaf40dda38f84645920c2ea073c15ed4268144b1fc310b33b69f568de24f17d7337c8af11c0916d12db76501320b0bbf767484c8b65ac02955cfe96f
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2732 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ad4b-174.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2732 node.exe 2732 node.exe 2732 node.exe 2732 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3712 wrote to memory of 1976 3712 java.exe 73 PID 3712 wrote to memory of 1976 3712 java.exe 73 PID 1976 wrote to memory of 2732 1976 javaw.exe 77 PID 1976 wrote to memory of 2732 1976 javaw.exe 77
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Shipping documents.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\01503380.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1976 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ciko77.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2732
-
-