joker | 5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61

Analysis

max time kernel
40s
max time network
47s
platform
windows7_x64
resource
win7-20220715-en
resource tags

arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system
submitted
02-08-2022 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe
Size

10.4MB
MD5

cd16ea3f3cd567c5a527a9adb968871b
SHA1

6d0ae7ccfbce12d2475c0ee771ce36040c64a4d8
SHA256

5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61
SHA512

09e66c595eddfb497b1cab86397ffe7fed1ccf91919a6c3f1b860b32d4b729b2f332600b813f7fb39d32e2bd3eeeea65d899fd6051bdad811c60585e3362238d

Score

10^/10

joker bootkit evasion infostealer persistence trojan

Malware Config

Extracted

Family

joker

http://laoliehuo.oss-cn-hangzhou.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Deletes itself 1 IoCs

pid	Process
1996	cmd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PHYSICALDRIVE0	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1632	SC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe
1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe
1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 1632	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	26
PID 1932 wrote to memory of 1632	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	26
PID 1932 wrote to memory of 1632	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	26
PID 1932 wrote to memory of 1632	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	26
PID 1932 wrote to memory of 1996	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	28
PID 1932 wrote to memory of 1996	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	28
PID 1932 wrote to memory of 1996	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	28
PID 1932 wrote to memory of 1996	1932	5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe	28

C:\Users\Admin\AppData\Local\Temp\5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe
"C:\Users\Admin\AppData\Local\Temp\5a53ca7881f64f1d174f2fe9c152397d86ed5a508feb42d20ecf8b2623db7d61.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\SysWOW64\SC.exe
  SC STOP MpsSvc
  2⤵
  - Launches sc.exe
  PID:1632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c .\delme.bat
  2⤵
  - Deletes itself
  PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\delme.bat

Filesize
438B

MD5
de78c86d0ac3ad364553a1338fa84bee

SHA1
188840a5afec5d9c9e92812d2a770afe21ad3c03

SHA256
2e273c0900701a3e5dccbbe9b5b09e325c0ab8af0a1d88bd0dc7520336a86dea

SHA512
8fd19cc34fde52767207e7cfe2f64a6521f759e12345c55e1a87c6d3db070c662cd6d01cbd9b2d139031dbc713163061d1b384fe15fb0df45def582066bed6aa

Download Submit
memory/1932-54-0x0000000076281000-0x0000000076283000-memory.dmp

Filesize
8KB

Download
memory/1932-55-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download
memory/1932-58-0x0000000000400000-0x000000000067B000-memory.dmp

Filesize
2.5MB

Download