Analysis
-
max time kernel
59s -
max time network
111s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 10:35
Static task
static1
Behavioral task
behavioral1
Sample
380000_USD_INV_011740_NOV_2020.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
380000_USD_INV_011740_NOV_2020.jar
Resource
win10v20201028
General
-
Target
380000_USD_INV_011740_NOV_2020.jar
-
Size
64KB
-
MD5
aa4cc34e07330dac5e26c7e48bc469fd
-
SHA1
8810ae3a071b894f76bbbd8bb8cec2832eee0362
-
SHA256
6d3f7620b05ce217ff5db72d4af251801a16b4c86b7a2caa79dbe4431c5e0289
-
SHA512
9f98db768d103b940d23ecaa92a750c567f19b3198cbbc16d50d8a0d7c858355e42fddcace4fd1ed7f8b9d5c72c334429cb0e7e8b832562b31c602a566898f20
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 1 IoCs
Processes:
node.exepid process 184 node.exe -
JavaScript code in executable 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
node.exepid process 184 node.exe 184 node.exe 184 node.exe 184 node.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
java.exejavaw.exedescription pid process target process PID 640 wrote to memory of 856 640 java.exe javaw.exe PID 640 wrote to memory of 856 640 java.exe javaw.exe PID 856 wrote to memory of 184 856 javaw.exe node.exe PID 856 wrote to memory of 184 856 javaw.exe node.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\380000_USD_INV_011740_NOV_2020.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2445b50e.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain gatherlozx.hopto.org --hub-domain localhost3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\2445b50e.tmpMD5
aa4cc34e07330dac5e26c7e48bc469fd
SHA18810ae3a071b894f76bbbd8bb8cec2832eee0362
SHA2566d3f7620b05ce217ff5db72d4af251801a16b4c86b7a2caa79dbe4431c5e0289
SHA5129f98db768d103b940d23ecaa92a750c567f19b3198cbbc16d50d8a0d7c858355e42fddcace4fd1ed7f8b9d5c72c334429cb0e7e8b832562b31c602a566898f20
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/184-171-0x0000000000000000-mapping.dmp
-
memory/184-173-0x0000011C7BDC0000-0x0000011C7BDC1000-memory.dmpFilesize
4KB
-
memory/856-53-0x0000000000000000-mapping.dmp