qnodeservice | 0ffc62df8da2c91b8affad5acbc9eec81ad27614195ad75b1e838ada8befd2f7

Analysis

Target

AWB 6400815722.jar
Size

99KB
MD5

91a3fa1fd957d1d41eef560d34364e94
SHA1

0fcd5e0500278fbe09d5cf9ee814778d8cc57605
SHA256

0ffc62df8da2c91b8affad5acbc9eec81ad27614195ad75b1e838ada8befd2f7
SHA512

f91d212aab9c4638f30aad485ce8c6e8fc4732c83cb57c3c4263f6af0df71984994b61be17e1c9edf39b9e0211271396613da8b05bfc7f889c11e23b7d4044df

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
4720	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab79-170.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4760 wrote to memory of 388	4760	java.exe	76
PID 4760 wrote to memory of 388	4760	java.exe	76
PID 388 wrote to memory of 4720	388	javaw.exe	80
PID 388 wrote to memory of 4720	388	javaw.exe	80

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\AWB 6400815722.jar"
1⤵
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\25ba46e6.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:388
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain gatherlozx.hopto.org --hub-domain localhost
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4720

memory/4720-171-0x000003F9CF540000-0x000003F9CF541000-memory.dmp

Filesize
4KB

Download