Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
59s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25/11/2020, 10:35
Static task
static1
Behavioral task
behavioral1
Sample
380000_USD_INV_011740_NOV_2020.jar
Resource
win7v20201028
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
380000_USD_INV_011740_NOV_2020.jar
Resource
win10v20201028
0 signatures
0 seconds
General
-
Target
380000_USD_INV_011740_NOV_2020.jar
-
Size
64KB
-
MD5
aa4cc34e07330dac5e26c7e48bc469fd
-
SHA1
8810ae3a071b894f76bbbd8bb8cec2832eee0362
-
SHA256
6d3f7620b05ce217ff5db72d4af251801a16b4c86b7a2caa79dbe4431c5e0289
-
SHA512
9f98db768d103b940d23ecaa92a750c567f19b3198cbbc16d50d8a0d7c858355e42fddcace4fd1ed7f8b9d5c72c334429cb0e7e8b832562b31c602a566898f20
Score
10/10
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
pid Process 184 node.exe -
JavaScript code in executable 1 IoCs
resource yara_rule behavioral2/files/0x000100000001ab86-172.dat js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 184 node.exe 184 node.exe 184 node.exe 184 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 640 wrote to memory of 856 640 java.exe 76 PID 640 wrote to memory of 856 640 java.exe 76 PID 856 wrote to memory of 184 856 javaw.exe 80 PID 856 wrote to memory of 184 856 javaw.exe 80
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\380000_USD_INV_011740_NOV_2020.jar1⤵
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2445b50e.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain gatherlozx.hopto.org --hub-domain localhost3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:184
-
-