qnodeservice | 0426d4c5a5d65165faf65b129833c0b316c2839c06bc51c7379851d7e879ae93

Analysis

Target

Advise_65800_1020.jar
Size

74KB
MD5

4956848c584407a402db410818282d15
SHA1

15925de14ab6eb4380258aee08338b0f5754edcb
SHA256

0426d4c5a5d65165faf65b129833c0b316c2839c06bc51c7379851d7e879ae93
SHA512

81f029ff447c2b9e7a9bbe5aa7ed7a84fc6cb3adcde3bc8baa5cbce895a613222119c28f3f8be31083c30ceee7185a57790369a73a6f3bbbd55328526d163b1d

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
3768	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab68-174.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 3964	3984	java.exe	75
PID 3984 wrote to memory of 3964	3984	java.exe	75
PID 3964 wrote to memory of 3768	3964	javaw.exe	79
PID 3964 wrote to memory of 3768	3964	javaw.exe	79

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Advise_65800_1020.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\66c993a4.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3964
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain holdlozx.riepsol.com --hub-domain localhost
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3768

memory/3768-175-0x00000292AC840000-0x00000292AC841000-memory.dmp

Filesize
4KB

Download