qnodeservice | 95325c40661f2bfce78d8c9793a672bd7b9dc0783f154956924385e1615f9a65

Analysis

Target

INVOICE#1608.jar
Size

74KB
MD5

dc133c7480dbe52eda437d9cdf5a1570
SHA1

a1e36cabc5eb441292db4e8813659923db83b7ff
SHA256

95325c40661f2bfce78d8c9793a672bd7b9dc0783f154956924385e1615f9a65
SHA512

16a8eb3d038510ea6f5b7d3178d43dd034a8ae9c95d07f393b4843d3a4dd4aedca7ebfb4e308bfef3c4b6babad647170acb09e98977391150b835cd742f5d18c

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
1796	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab52-171.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4004 wrote to memory of 2636	4004	java.exe	75
PID 4004 wrote to memory of 2636	4004	java.exe	75
PID 2636 wrote to memory of 1796	2636	javaw.exe	79
PID 2636 wrote to memory of 1796	2636	javaw.exe	79

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\INVOICE#1608.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4004
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\dd42c8d6.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain success87.hopto.org
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1796

memory/1796-172-0x0000023512FC0000-0x0000023512FC1000-memory.dmp

Filesize
4KB

Download