sysjoker | 1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c

Resubmissions

23/01/2022, 16:46

220123-t96bjsgbem 10

17/01/2022, 19:00

220117-xntbmsccfp 8

Analysis

max time kernel
365s
max time network
364s
platform
windows7_x64
resource
win7-en-20211208
submitted
23/01/2022, 16:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

msg.exe
Size

392KB
MD5

d90d0f4d6dad402b5d025987030cc87c
SHA1

fad66bdf5c5dc2c050cbc574832c6995dba086a0
SHA256

1ffd6559d21470c40dcf9236da51e5823d7ad58c93502279871c3fe7718c901c
SHA512

c2faeacfd588585633630ad710f443a72c7617c2d5e37dbfe43570e6ac5904e4b81eb682356a48a93bb794ef5e9d8ad0d673966d57798079b4de62ea61241024

Score

10^/10

sysjoker backdoor loader

Malware Config

Signatures

Detection for the linux version of Sysjoker cross-platform backdoor 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000125b9-62.dat	family_linux_sysjoker
behavioral1/files/0x00060000000125b9-63.dat	family_linux_sysjoker
behavioral1/files/0x00060000000125b9-64.dat	family_linux_sysjoker
behavioral1/files/0x00060000000125b9-65.dat	family_linux_sysjoker

Detection for the mac version of Sysjoker cross-platform backdoor 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000125b9-62.dat	family_macos_sysjoker
behavioral1/files/0x00060000000125b9-63.dat	family_macos_sysjoker
behavioral1/files/0x00060000000125b9-64.dat	family_macos_sysjoker
behavioral1/files/0x00060000000125b9-65.dat	family_macos_sysjoker

Detection for the windows version of Sysjoker cross-platform backdoor 4 IoCs

resource	yara_rule
behavioral1/files/0x00060000000125b9-62.dat	family_sysjoker
behavioral1/files/0x00060000000125b9-63.dat	family_sysjoker
behavioral1/files/0x00060000000125b9-64.dat	family_sysjoker
behavioral1/files/0x00060000000125b9-65.dat	family_sysjoker

SysJoker
SysJoker is a cross-platform backdoor first seen in late 2021.
backdoor loader sysjoker

Executes dropped EXE 1 IoCs

pid	Process
1920	igfxCUIService.exe

Loads dropped DLL 2 IoCs

pid	Process
1756	msg.exe
1756	msg.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1396	powershell.exe
972	powershell.exe
1564	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeIncreaseQuotaPrivilege	956	WMIC.exe
Token: SeSecurityPrivilege	956	WMIC.exe
Token: SeTakeOwnershipPrivilege	956	WMIC.exe
Token: SeLoadDriverPrivilege	956	WMIC.exe
Token: SeSystemProfilePrivilege	956	WMIC.exe
Token: SeSystemtimePrivilege	956	WMIC.exe
Token: SeProfSingleProcessPrivilege	956	WMIC.exe
Token: SeIncBasePriorityPrivilege	956	WMIC.exe
Token: SeCreatePagefilePrivilege	956	WMIC.exe
Token: SeBackupPrivilege	956	WMIC.exe
Token: SeRestorePrivilege	956	WMIC.exe
Token: SeShutdownPrivilege	956	WMIC.exe
Token: SeDebugPrivilege	956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	956	WMIC.exe
Token: SeRemoteShutdownPrivilege	956	WMIC.exe
Token: SeUndockPrivilege	956	WMIC.exe
Token: SeManageVolumePrivilege	956	WMIC.exe
Token: 33	956	WMIC.exe
Token: 34	956	WMIC.exe
Token: 35	956	WMIC.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeIncreaseQuotaPrivilege	980	WMIC.exe
Token: SeSecurityPrivilege	980	WMIC.exe
Token: SeTakeOwnershipPrivilege	980	WMIC.exe
Token: SeLoadDriverPrivilege	980	WMIC.exe
Token: SeSystemProfilePrivilege	980	WMIC.exe
Token: SeSystemtimePrivilege	980	WMIC.exe
Token: SeProfSingleProcessPrivilege	980	WMIC.exe
Token: SeIncBasePriorityPrivilege	980	WMIC.exe
Token: SeCreatePagefilePrivilege	980	WMIC.exe
Token: SeBackupPrivilege	980	WMIC.exe
Token: SeRestorePrivilege	980	WMIC.exe
Token: SeShutdownPrivilege	980	WMIC.exe
Token: SeDebugPrivilege	980	WMIC.exe
Token: SeSystemEnvironmentPrivilege	980	WMIC.exe
Token: SeRemoteShutdownPrivilege	980	WMIC.exe
Token: SeUndockPrivilege	980	WMIC.exe
Token: SeManageVolumePrivilege	980	WMIC.exe
Token: 33	980	WMIC.exe
Token: 34	980	WMIC.exe
Token: 35	980	WMIC.exe
Token: SeIncreaseQuotaPrivilege	980	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 1396	1756	msg.exe	29
PID 1756 wrote to memory of 1396	1756	msg.exe	29
PID 1756 wrote to memory of 1396	1756	msg.exe	29
PID 1756 wrote to memory of 1396	1756	msg.exe	29
PID 1756 wrote to memory of 1920	1756	msg.exe	31
PID 1756 wrote to memory of 1920	1756	msg.exe	31
PID 1756 wrote to memory of 1920	1756	msg.exe	31
PID 1756 wrote to memory of 1920	1756	msg.exe	31
PID 1920 wrote to memory of 972	1920	igfxCUIService.exe	32
PID 1920 wrote to memory of 972	1920	igfxCUIService.exe	32
PID 1920 wrote to memory of 972	1920	igfxCUIService.exe	32
PID 1920 wrote to memory of 972	1920	igfxCUIService.exe	32
PID 972 wrote to memory of 1036	972	powershell.exe	34
PID 972 wrote to memory of 1036	972	powershell.exe	34
PID 972 wrote to memory of 1036	972	powershell.exe	34
PID 972 wrote to memory of 1036	972	powershell.exe	34
PID 972 wrote to memory of 956	972	powershell.exe	37
PID 972 wrote to memory of 956	972	powershell.exe	37
PID 972 wrote to memory of 956	972	powershell.exe	37
PID 972 wrote to memory of 956	972	powershell.exe	37
PID 1920 wrote to memory of 1564	1920	igfxCUIService.exe	38
PID 1920 wrote to memory of 1564	1920	igfxCUIService.exe	38
PID 1920 wrote to memory of 1564	1920	igfxCUIService.exe	38
PID 1920 wrote to memory of 1564	1920	igfxCUIService.exe	38
PID 1920 wrote to memory of 1748	1920	igfxCUIService.exe	40
PID 1920 wrote to memory of 1748	1920	igfxCUIService.exe	40
PID 1920 wrote to memory of 1748	1920	igfxCUIService.exe	40
PID 1920 wrote to memory of 1748	1920	igfxCUIService.exe	40
PID 1748 wrote to memory of 980	1748	cmd.exe	42
PID 1748 wrote to memory of 980	1748	cmd.exe	42
PID 1748 wrote to memory of 980	1748	cmd.exe	42
PID 1748 wrote to memory of 980	1748	cmd.exe	42

C:\Users\Admin\AppData\Local\Temp\msg.exe
"C:\Users\Admin\AppData\Local\Temp\msg.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" copy 'C:\Users\Admin\AppData\Local\Temp\msg.exe' 'C:\ProgramData\SystemData\igfxCUIService.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1396
- C:\ProgramData\SystemData\igfxCUIService.exe
  "C:\ProgramData\SystemData\igfxCUIService.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1920
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" getmac | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps1.txt' ; wmic path win32_physicalmedia get SerialNumber | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\temps2.txt'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\SysWOW64\getmac.exe
      "C:\Windows\system32\getmac.exe"
      4⤵
      PID:1036
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      "C:\Windows\System32\Wbem\WMIC.exe" path win32_physicalmedia get SerialNumber
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:956
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $env:username | Out-File -Encoding 'Default' 'C:\ProgramData\SystemData\tempu.txt'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1564
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c wmic OS get Caption, CSDVersion, OSArchitecture, Version / value > "C:\ProgramData\SystemData\tempo1.txt" && type "C:\ProgramData\SystemData\tempo1.txt" > "C:\ProgramData\SystemData\tempo2.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic OS get Caption, CSDVersion, OSArchitecture, Version / value
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/972-69-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/972-70-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/972-71-0x0000000002420000-0x000000000306A000-memory.dmp

Filesize
12.3MB

Download
memory/1396-61-0x0000000000512000-0x0000000000514000-memory.dmp

Filesize
8KB

Download
memory/1396-60-0x0000000000511000-0x0000000000512000-memory.dmp

Filesize
4KB

Download
memory/1396-59-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/1756-55-0x00000000769D1000-0x00000000769D3000-memory.dmp

Filesize
8KB

Download