General

  • Target

    380000_USD_INV_011740_NOV_2020.jar

  • Size

    54KB

  • Sample

    201127-n6d5kxprha

  • MD5

    48fb2549992cb437906bf66ac6a28e9e

  • SHA1

    7b6b367c992c71f2f28c6b5b02869c0519899e64

  • SHA256

    835834081946ec9778c7ac1255b166c5f2c25729e23d06305a9b28670415497d

  • SHA512

    440530a9ebf2bb6b13f88039c05da530e55c2cade41ff9c13eea3682c7435f2a379d1b01ae433000c790ac97be9be9f2af9bbc419e6189237e9a7b3d88c54308

Malware Config

Targets

    • Target

      380000_USD_INV_011740_NOV_2020.jar

    • Size

      54KB

    • MD5

      48fb2549992cb437906bf66ac6a28e9e

    • SHA1

      7b6b367c992c71f2f28c6b5b02869c0519899e64

    • SHA256

      835834081946ec9778c7ac1255b166c5f2c25729e23d06305a9b28670415497d

    • SHA512

      440530a9ebf2bb6b13f88039c05da530e55c2cade41ff9c13eea3682c7435f2a379d1b01ae433000c790ac97be9be9f2af9bbc419e6189237e9a7b3d88c54308

    • QNodeService

      Trojan/stealer written in NodeJS and spread via Java downloader.

    • Executes dropped EXE

    • Adds Run key to start application

    • JavaScript code in executable

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Matrix ATT&CK v6

Persistence

Registry Run Keys / Startup Folder

1
T1060

Defense Evasion

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Tasks