qnodeservice | 31a4ae2cbeff17ff5530e9da4429d72364bfc10d40736834d715878f49ceee06 | Triage

Sharing

General

Target

DHL-DOCUMENT.jar
Size

11KB
Sample

200712-szrw9d9hwx
MD5

fa9976171fb96b7a94807b4719dc4953
SHA1

6cc5948ed866b36928844e607a742d6ee7cc6281
SHA256

31a4ae2cbeff17ff5530e9da4429d72364bfc10d40736834d715878f49ceee06
SHA512

b76b606421a7ffbb18fd9bd88eafed6dad17ddfe13d6364e557485562ded9a72fe7730c4141e2b361010b6a351f1d9ed9a1b47e03371feacea8283ea05ff71f7

Score

10^/10

qnodeservice persistence trojan

Malware Config

Targets

- Target
  
  DHL-DOCUMENT.jar
- Size
  
  11KB
- MD5
  
  fa9976171fb96b7a94807b4719dc4953
- SHA1
  
  6cc5948ed866b36928844e607a742d6ee7cc6281
- SHA256
  
  31a4ae2cbeff17ff5530e9da4429d72364bfc10d40736834d715878f49ceee06
- SHA512
  
  b76b606421a7ffbb18fd9bd88eafed6dad17ddfe13d6364e557485562ded9a72fe7730c4141e2b361010b6a351f1d9ed9a1b47e03371feacea8283ea05ff71f7
Score

10^/10

persistence trojan qnodeservice
- QNodeService
  is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
  trojan qnodeservice
- QNodeService NodeJS Trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run entry to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

persistencetrojanqnodeservice