qnodeservice | c4d2576de9891cf1eff0950309a2617a11510a2e877a5957a1ad087693366daa

Analysis

Target

DHL_109401211_09100903_12012900.jar
Size

67KB
MD5

0216dcdef87aab9e27fb70c0ef09cd7c
SHA1

f3117a7557d547b1ce33c20d185b3297cb8c427a
SHA256

c4d2576de9891cf1eff0950309a2617a11510a2e877a5957a1ad087693366daa
SHA512

8e923d9c980abee1ba1526f7cb03fe635a7b179a71081af9099ce0b9ced3c63792398a34bc9e0cb7d99d7b699e325d3768cb158f6530c1edeec1b2554df4e612

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3224	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad22-163.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 788 wrote to memory of 2292	788	java.exe	74
PID 788 wrote to memory of 2292	788	java.exe	74
PID 2292 wrote to memory of 3224	2292	javaw.exe	78
PID 2292 wrote to memory of 3224	2292	javaw.exe	78

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\DHL_109401211_09100903_12012900.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:788
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\9fb6e4ca.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2292
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain glotronic.net
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3224

memory/3224-164-0x000001887FA80000-0x000001887FA81000-memory.dmp

Filesize
4KB

Download