Analysis
-
max time kernel
140s -
max time network
145s -
platform
windows10_x64 -
resource
win10 -
submitted
28-10-2020 08:49
Static task
static1
Behavioral task
behavioral1
Sample
INVOICE#2006.jar
Resource
win7
Behavioral task
behavioral2
Sample
INVOICE#2006.jar
Resource
win10
General
-
Target
INVOICE#2006.jar
-
Size
80KB
-
MD5
ceb73af74d8f6bc1069203085381af03
-
SHA1
409c6f3b4150e0d5631884fa35de0f43b8bc6ecb
-
SHA256
e6b43893d49d522864469d81499e46121eadbe089baf0657c23b15b91c973180
-
SHA512
a1ee48c4da064a43b3d3a9ae78ceb80dc1687b4b70d056a1d2021597db692d919f8e221f5dd40ae6ab2a23cd3ed9d0f5cd6331324e41688ada0f9dcbcd9f66f5
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 2112 node.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
node.exepid process 2112 node.exe 2112 node.exe 2112 node.exe 2112 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.exejavaw.exedescription pid process target process PID 3968 wrote to memory of 3384 3968 java.exe javaw.exe PID 3968 wrote to memory of 3384 3968 java.exe javaw.exe PID 3384 wrote to memory of 2112 3384 javaw.exe node.exe PID 3384 wrote to memory of 2112 3384 javaw.exe node.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#2006.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\dd0682d4.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\dd0682d4.tmpMD5
ceb73af74d8f6bc1069203085381af03
SHA1409c6f3b4150e0d5631884fa35de0f43b8bc6ecb
SHA256e6b43893d49d522864469d81499e46121eadbe089baf0657c23b15b91c973180
SHA512a1ee48c4da064a43b3d3a9ae78ceb80dc1687b4b70d056a1d2021597db692d919f8e221f5dd40ae6ab2a23cd3ed9d0f5cd6331324e41688ada0f9dcbcd9f66f5
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/2112-170-0x0000000000000000-mapping.dmp
-
memory/2112-172-0x000002CB1B840000-0x000002CB1B841000-memory.dmpFilesize
4KB
-
memory/3384-53-0x0000000000000000-mapping.dmp