Analysis
-
max time kernel
86s -
max time network
113s -
platform
windows10_x64 -
resource
win10 -
submitted
27-10-2020 10:14
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE#1608.jar
Resource
win7
Behavioral task
behavioral2
Sample
INVOICE#1608.jar
Resource
win10
General
-
Target
INVOICE#1608.jar
-
Size
74KB
-
MD5
dc133c7480dbe52eda437d9cdf5a1570
-
SHA1
a1e36cabc5eb441292db4e8813659923db83b7ff
-
SHA256
95325c40661f2bfce78d8c9793a672bd7b9dc0783f154956924385e1615f9a65
-
SHA512
16a8eb3d038510ea6f5b7d3178d43dd034a8ae9c95d07f393b4843d3a4dd4aedca7ebfb4e308bfef3c4b6babad647170acb09e98977391150b835cd742f5d18c
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 1796 node.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
node.exepid process 1796 node.exe 1796 node.exe 1796 node.exe 1796 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.exejavaw.exedescription pid process target process PID 4004 wrote to memory of 2636 4004 java.exe javaw.exe PID 4004 wrote to memory of 2636 4004 java.exe javaw.exe PID 2636 wrote to memory of 1796 2636 javaw.exe node.exe PID 2636 wrote to memory of 1796 2636 javaw.exe node.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#1608.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\dd42c8d6.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\dd42c8d6.tmpMD5
dc133c7480dbe52eda437d9cdf5a1570
SHA1a1e36cabc5eb441292db4e8813659923db83b7ff
SHA25695325c40661f2bfce78d8c9793a672bd7b9dc0783f154956924385e1615f9a65
SHA51216a8eb3d038510ea6f5b7d3178d43dd034a8ae9c95d07f393b4843d3a4dd4aedca7ebfb4e308bfef3c4b6babad647170acb09e98977391150b835cd742f5d18c
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/1796-170-0x0000000000000000-mapping.dmp
-
memory/1796-172-0x0000023512FC0000-0x0000023512FC1000-memory.dmpFilesize
4KB
-
memory/2636-54-0x0000000000000000-mapping.dmp