Overview

overview

10

Static

static

Joker.exe

windows7_x64

10

Joker.exe

windows10_x64

10

Resubmissions

25-06-2021 19:02

210625-3pn69lxvl6 10

19-01-2021 19:11

210119-d5lpreq1xs 10

17-01-2021 18:34

210117-13dmhlbfvs 10

17-12-2020 13:19

201217-th1vrg4m2n 10

Analysis

  • max time kernel
    19s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    17-01-2021 18:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Joker.exe

  • Size

    649KB

  • MD5

    182f7543c3686426512511c74548e724

  • SHA1

    3f114d85370d2014004e06bd7b10ab2ac435b482

  • SHA256

    49c578bf49fba965320ea05c3d1c8ef2bf37d3c8943988b50ac72fd6c3d109b7

  • SHA512

    3f4fc19e3687b1a4b5cb7719f21b6b51d0f7f29ed82ce51a95c1b18ecd7660391ed116df9ed132f91c10ff639875451d67baa9414721f5b52441d3d905e65e87

Score
10/10
ransomwarespyware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\CryptoJoker Recovery Information.txt

Ransom Note
Hello! I am NocryCrypt0r My name is NocryCrypt0r. I have encrypted all your precious files including images, videos, songs, text files, word files and etc. So long story short, you are screwed... but you are lucky in a way. Why is that ?? I am ransomware that leave you an unlimited amount of time to gather the money to pay me. I am not gonna go somewhere, neither do your encrypted files. FAQ: 1. Can i get my precious files back?? Answer: Ofcourse you can. There is just a minor detail. You have to pay to get them back. 2. Ok, how i am gonna get them back? Answer: You have to pay 50€ in bitcoin. 3. There isn't any other way to get back my files ? Answer: Nahhh. Just our service. 4. Ok, what i have to do then ? Answer: Simply, you will have to pay 50€ to this bitcoin address: 1yh3eJjuXwqqXgpu8stnojm148b8d6NFQ . When time comes to send me the money, make sure to include your e-mail and your personal ID(you can see it bellow) in the extra information box (it may apper also as 'Extra Note' or 'optional message') in order to get your personal decryption key. It may take up to 6-8 hours to take your personal decryption key. 5. What the heck bitcoin is ? Answer: Bitcoin is a cryptocurrency and a digital payment system. You can see more information here: https://en.wikipedia.org/wiki/Bitcoin . I recommend to use 'Coinbase' or 'Bitcoin Wallet' as a bitcoin wallet, if you are new to the bitcoin-wallet. Ofcourse you can pay me from whatever bitcoin wallet you want, it deosn't really matter. 6. Is there any chance to unclock my files for free ? Answer: Not really. After 1-2 or max 3 years there is propably gonna be released a free decryptor. So if you want to wait... it's fine. As i said, i am not gonna go somewhere. 7. What i have to do after getting my decryption key ? Answer: Simple. Just press the decryption button bellow. Enter your decryption key you received, and wait until the decryption process is done. Your personal ID: 80120786078BFBFD00000663
Wallets

1yh3eJjuXwqqXgpu8stnojm148b8d6NFQ

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    theemailtologin@gmail.com
  • Password:
    thepasswordoftheaccount

Signatures

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops startup file 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Drops desktop.ini file(s) 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Joker.exe
    "C:\Users\Admin\AppData\Local\Temp\Joker.exe"
    1⤵
    • Modifies extensions of user files
    • Drops startup file
    • Drops desktop.ini file(s)
    PID:792
  • C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\CryptoJoker Recovery Information.txt
    1⤵
      PID:276

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\Desktop\CryptoJoker Recovery Information.txt
      MD5

      4cd71a455c6db4436f58c0184e679cf2

      SHA1

      0900920279091f6f98b558a8093704092b6f1937

      SHA256

      44cb77aa3d89ce1709dbac4710a854483bea3380ce3305da658646c68b3d171f

      SHA512

      96554295e0bedfe78aff6b106851427759b49f6e7220dc29189e0499f4d395ff67e5f1543977ff3b47bfabb09643514617fef537da9ec87d620e481295dcd93b

      Download Submit
    • memory/276-6-0x000007FEFC4E1000-0x000007FEFC4E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/572-8-0x000007FEF61E0000-0x000007FEF645A000-memory.dmp
      Filesize

      2.5MB

      Download
    • memory/792-2-0x000007FEF6460000-0x000007FEF6DFD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/792-3-0x000007FEF6460000-0x000007FEF6DFD000-memory.dmp
      Filesize

      9.6MB

      Download
    • memory/792-4-0x00000000004C0000-0x00000000004C2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/792-5-0x00000000004C6000-0x00000000004E5000-memory.dmp
      Filesize

      124KB

      Download