qnodeservice | 20d80f734edc92212a92a707186e22a60577c93e8bf421841b43d308f492734b

Analysis

Target

Sample_5f73b570cb0f41001b620aad.bin.jar
Size

126KB
MD5

abca242f11e901d0f85538e2f55b8321
SHA1

9be7f118e5c9b01d6fefb08c4959422358bbec24
SHA256

20d80f734edc92212a92a707186e22a60577c93e8bf421841b43d308f492734b
SHA512

42692373ea1237ba1d026700604ccdb755b2ad9ee17734e5ba8ab9c8c67f5643c207df939a9881319979e3c7437084583cb58c6f5c64ad67793e1051e8ff43e9

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
2896	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad66-168.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 1900	408	java.exe	73
PID 408 wrote to memory of 1900	408	java.exe	73
PID 1900 wrote to memory of 2896	1900	javaw.exe	77
PID 1900 wrote to memory of 2896	1900	javaw.exe	77

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Sample_5f73b570cb0f41001b620aad.bin.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\7acd9778.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain lightstamps.website
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2896

memory/2896-170-0x00000316A9780000-0x00000316A9781000-memory.dmp

Filesize
4KB

Download