qnodeservice | 41786ef43f218b378cc533e50490815cdcac23b6cdb8375b9282abed195d7720

Analysis

Target

Way Bill #0015102020.jar
Size

262KB
MD5

d3760c810db5a1d82af0daf44d54a766
SHA1

6b7d48c11e5d8add4e7bd2c59aa00ddd5cc7d7b6
SHA256

41786ef43f218b378cc533e50490815cdcac23b6cdb8375b9282abed195d7720
SHA512

73dcc15b488497031f8ca9fb6f6a8c73bc4c3d024feb1a10836f42f2b0224668e4a302bac80f4102e0e95e6df976bbf214330a22f07cd0bac4d30a0455aaf8b3

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
1172	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad6b-171.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3900 wrote to memory of 2004	3900	java.exe	76
PID 3900 wrote to memory of 2004	3900	java.exe	76
PID 2004 wrote to memory of 1172	2004	javaw.exe	77
PID 2004 wrote to memory of 1172	2004	javaw.exe	77

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\Way Bill #0015102020.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\438e382e.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain holdlozx.riepsol.com --hub-domain localhost
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1172

memory/1172-172-0x0000010F03540000-0x0000010F03541000-memory.dmp

Filesize
4KB

Download