Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
28/10/2020, 08:49
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE#2006.jar
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
INVOICE#2006.jar
Resource
win10
0 signatures
0 seconds
General
-
Target
INVOICE#2006.jar
-
Size
80KB
-
MD5
ceb73af74d8f6bc1069203085381af03
-
SHA1
409c6f3b4150e0d5631884fa35de0f43b8bc6ecb
-
SHA256
e6b43893d49d522864469d81499e46121eadbe089baf0657c23b15b91c973180
-
SHA512
a1ee48c4da064a43b3d3a9ae78ceb80dc1687b4b70d056a1d2021597db692d919f8e221f5dd40ae6ab2a23cd3ed9d0f5cd6331324e41688ada0f9dcbcd9f66f5
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 2112 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ab61-171.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2112 node.exe 2112 node.exe 2112 node.exe 2112 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 3968 wrote to memory of 3384 3968 java.exe 75 PID 3968 wrote to memory of 3384 3968 java.exe 75 PID 3384 wrote to memory of 2112 3384 javaw.exe 79 PID 3384 wrote to memory of 2112 3384 javaw.exe 79
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#2006.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\dd0682d4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2112
-
-