qnodeservice | 23d7e32074e8174c189603294d8ae92fb561fefcafb2fdfa1e4ad732714bb90f | Triage

Sharing

General

Target

DHL-Document.jar
Size

12KB
Sample

200708-j1q7dbzxkj
MD5

dcad2e4f706f0ecd5685b954e4f6a6ac
SHA1

7859faa26249bdbc138ee49f9b1fb711264e0262
SHA256

23d7e32074e8174c189603294d8ae92fb561fefcafb2fdfa1e4ad732714bb90f
SHA512

7938fd34ee96335643db045e03a7bc242e499de4bab1a8f1da95732fb76dd17037f707883c096cc39bff3030d205d9b14ed349f34c58101f0c148ef680b096a0

Score

10^/10

qnodeservice persistence spyware trojan

Malware Config

Targets

- Target
  
  DHL-Document.jar
- Size
  
  12KB
- MD5
  
  dcad2e4f706f0ecd5685b954e4f6a6ac
- SHA1
  
  7859faa26249bdbc138ee49f9b1fb711264e0262
- SHA256
  
  23d7e32074e8174c189603294d8ae92fb561fefcafb2fdfa1e4ad732714bb90f
- SHA512
  
  7938fd34ee96335643db045e03a7bc242e499de4bab1a8f1da95732fb76dd17037f707883c096cc39bff3030d205d9b14ed349f34c58101f0c148ef680b096a0
Score

10^/10

persistence trojan qnodeservice spyware
- QNodeService
  is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
  trojan qnodeservice
- QNodeService NodeJS Trojan
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware
- Adds Run entry to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistencetrojanqnodeservicespyware