joker | c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1

General

Target

c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
Size

873KB
MD5

ab562bdc1da3ca961409f742a10b2c69
SHA1

26f6d51b36b30066bb2802d47dc58f04e41f45ae
SHA256

c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1
SHA512

66cb18e0dad24ad7d3651b912d4cdd114d32de31ac72c1402143d2c90feab91474bcea59d279e27344ed439f70ea9a47949994fab98b17d15a3675fe6062ef79

Score

10^/10

joker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

http://guup.oss-cn-qingdao.aliyuncs.com

https://gutou.oss-cn-beijing.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2112-132-0x0000000000400000-0x00000000009B8200-memory.dmp	upx
behavioral2/memory/2112-133-0x0000000000400000-0x00000000009B8200-memory.dmp	upx
behavioral2/files/0x0007000000022ecb-135.dat	upx
behavioral2/memory/2112-136-0x0000000000400000-0x00000000009B8200-memory.dmp	upx
behavioral2/memory/1868-137-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx
behavioral2/memory/1868-139-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3463845317-933582289-45817732-1000\Control Panel\International\Geo\Nation	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: RenamesItself 2 IoCs

pid	Process
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
1868	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 1868	2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe	79
PID 2112 wrote to memory of 1868	2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe	79
PID 2112 wrote to memory of 1868	2112	c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe	79

C:\Users\Admin\AppData\Local\Temp\c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
"C:\Users\Admin\AppData\Local\Temp\c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: RenamesItself
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Users\Admin\AppData\Local\Temp\c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe
  "C:\Users\Admin\AppData\Local\Temp\c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe" ÃüÁîÆô¶¯
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1868

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\.rand

Filesize
13B

MD5
239ca7010c92e2d9242e47d1babfdc75

SHA1
fa6d16858c2c6f6f1734c34401386dc0c37b7a98

SHA256
4c23fd60f624f1dc003d165718e46281abc5dd7bd4868a96e609796c485ce118

SHA512
f4ec4d6d2f46efbb66ec54ffe468fe837c3bf2306babbddb4f368ca95b2fc2a8e08beb3231f710f427804b1cb0535515ccad618f9da54fc26badb3ea1fec1a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\c6b0027b5112f47d4c60a4012376a21a3952dcf518c4d0dd7b61b5e8655342e1.exe

Filesize
932KB

MD5
2447a92ed5a009e54a7c921a6eefb8cd

SHA1
17ebde5619b78ce5ebd6e6e0e8d979176cef0598

SHA256
96541e6297eebee96f17e551315a4633dd61d1ff661a0ac0247873ea98cf089e

SHA512
8a02ef1da48b02d118d92d8220002802a2b4c6bd0537dc559705d78b7dfee39ae091f7e376395e57d6c58e22bedc895d8f03732ccd99ed327d661fa8bcd0d47d

Download Submit
memory/1868-137-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/1868-139-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/2112-132-0x0000000000400000-0x00000000009B8200-memory.dmp

Filesize
5.7MB

Download
memory/2112-133-0x0000000000400000-0x00000000009B8200-memory.dmp

Filesize
5.7MB

Download
memory/2112-136-0x0000000000400000-0x00000000009B8200-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing