Overview

overview

10

Static

static

1

jod.js

windows7-x64

10

jod.js

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    jod.js

  • Size

    170KB

  • Sample

    230518-h6nfsaaa37

  • MD5

    ea6103815cb06653775743a337f9d934

  • SHA1

    9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60

  • SHA256

    b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5

  • SHA512

    7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73

  • SSDEEP

    3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M

Score
10/10
quasarop23spywaretrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://propagandaetrafego.com/b.jpg

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://propagandaetrafego.com/v1.txt

Extracted

Family

quasar

Version

2.7.0.0

Botnet

OP23

C2

vhf.sytes.net:4783

15.235.109.170:4782
Mutex

2vrOj8wCud9msk5z8w

Attributes
  • encryption_key

    ywxbR3BS4B6Rtb7nv9vB

  • install_name

    Venom.exe

  • log_directory

    Logs

  • reconnect_delay

    3000

  • startup_key

    Venom Client Startup

Targets

    • Target

      jod.js

    • Size

      170KB

    • MD5

      ea6103815cb06653775743a337f9d934

    • SHA1

      9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60

    • SHA256

      b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5

    • SHA512

      7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73

    • SSDEEP

      3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M

    Score
    10/10
    quasarop23spywaretrojan

    • Quasar RAT

      Quasar is an open source Remote Access Tool.

      trojanspywarequasar

    • Quasar payload

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks