qnodeservice | 87b4f32c8efd777e1add156beb424abd9441e122c78e40ddf968b20824f1a0f1

Analysis

Target

INVOICE _1106.jar
Size

72KB
MD5

52894a1b1f752949a63e53561f076d62
SHA1

e05df8a4f5bc86a8f25cf4f20250cce1be5c251a
SHA256

87b4f32c8efd777e1add156beb424abd9441e122c78e40ddf968b20824f1a0f1
SHA512

309f1f89d325e12f55a72341bc62e19e75e6c820ea2c18a3b17687c44ef50750fc993a21dab8bf618531371b083a282be141230cde45e4a6e66c34674cd2f96b

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3640	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001add8-170.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4048 wrote to memory of 2248	4048	java.exe	76
PID 4048 wrote to memory of 2248	4048	java.exe	76
PID 2248 wrote to memory of 3640	2248	javaw.exe	78
PID 2248 wrote to memory of 3640	2248	javaw.exe	78

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\INVOICE _1106.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4048
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\22b5baec.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2248
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3640

memory/3640-172-0x000002D60C600000-0x000002D60C601000-memory.dmp

Filesize
4KB

Download