qnodeservice | f8dd632be538ba1844cf8145e6a4de9c463c4304d43c3317f4f34d4f7752c1c9

Analysis

Target

New Order.jar
Size

447KB
MD5

54a498c63b4395ff22981eadf98bc658
SHA1

36a944e2b3790ab6609b796e74fbf81f4951c039
SHA256

f8dd632be538ba1844cf8145e6a4de9c463c4304d43c3317f4f34d4f7752c1c9
SHA512

5bc10cccfcded34a1725527c661beab1a9342331dcddccec028ad743c54adbe389a5e742d6f45854d9a64dc7633518ca82a260c36f458426b7459f0a6f4b94df

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3600	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad65-161.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3488	3984	java.exe	73
PID 3984 wrote to memory of 3488	3984	java.exe	73
PID 3488 wrote to memory of 3600	3488	javaw.exe	77
PID 3488 wrote to memory of 3600	3488	javaw.exe	77

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\New Order.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\6d4a4a6a.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain jahbless.hopto.org --hub-domain localhost
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3600

memory/3600-164-0x00000297B7940000-0x00000297B7941000-memory.dmp

Filesize
4KB

Download