General
-
Target
jod.js
-
Size
170KB
-
Sample
230518-h6nfsaaa37
-
MD5
ea6103815cb06653775743a337f9d934
-
SHA1
9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60
-
SHA256
b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5
-
SHA512
7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M
Static task
static1
Behavioral task
behavioral1
Sample
jod.js
Resource
win7-20230220-en
Malware Config
Extracted
https://propagandaetrafego.com/b.jpg
Extracted
https://propagandaetrafego.com/v1.txt
Extracted
quasar
2.7.0.0
OP23
vhf.sytes.net:4783
15.235.109.170:4782
2vrOj8wCud9msk5z8w
-
encryption_key
ywxbR3BS4B6Rtb7nv9vB
-
install_name
Venom.exe
-
log_directory
Logs
-
reconnect_delay
3000
-
startup_key
Venom Client Startup
Targets
-
-
Target
jod.js
-
Size
170KB
-
MD5
ea6103815cb06653775743a337f9d934
-
SHA1
9ec5e3f4bb4b39fcb61e0a5f15b0c6244a15ad60
-
SHA256
b9ca6866ff2792c9472c7dfd63e58dac2b3d51157a3d5bea252c873a4ea29df5
-
SHA512
7fd07e097673d14783117dd4180538ae0057530cecfb4eac14126f437272eb07e9bea10aed7ba610a9039a3ca9d08156d82e12bb89454abad1e29870e4797e73
-
SSDEEP
3072:zbT1AJM/EaZ8ok36/EI4+ZQSU2bokXPXliq3kJIAsKL3bT1AJM/EaZ8ok36/EI4c:zbZ0M/EaZ8ok36RftbokXsbZ0M/EaZ8M
-
Quasar payload
-
Blocklisted process makes network request
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-