joker | 73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3

General

Target

73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe
Size

5.3MB
MD5

0a735d01ea6deb01af0d28ec831460a5
SHA1

9195bf9b019972add40196954ba2f029c75c71f0
SHA256

73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3
SHA512

f95ece9d7b9efef4c31058c09b491959961a07995e4a11530fcce7c9de41158a8e9f775b8ddf1b6db4bcf939926f40f7ba6f0c341d37a0c4b120cba474c78000

Score

10^/10

joker infostealer trojan

Malware Config

Extracted

Family

joker

C2

https://googleupdate.oss-cn-hangzhou.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4776	HipsMain.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

GoLang User-Agent 1 IoCs

Uses default user-agent string defined by GoLang HTTP packages.

description	flow	ioc
HTTP User-Agent header	57	Go-http-client/1.1

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000_Classes\Local Settings	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4508	WINWORD.EXE
4508	WINWORD.EXE

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
2480	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE
4508	WINWORD.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2480 wrote to memory of 4508	2480	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe	83
PID 2480 wrote to memory of 4508	2480	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe	83
PID 2480 wrote to memory of 4776	2480	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe	84
PID 2480 wrote to memory of 4776	2480	73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe	84

C:\Users\Admin\AppData\Local\Temp\73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe
"C:\Users\Admin\AppData\Local\Temp\73985908413b4cda64f15b6fb02e9f59d5a6fab19d36a155e9e40da99edd35c3.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2480
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Windows\Temp\word.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4508
- C:\Users\Public\Downloads\HipsMain.exe
  "C:\Users\Public\Downloads\HipsMain.exe" .qbtt Sfe tp/fyf tp3/fyf
  2⤵
  - Executes dropped EXE
  PID:4776

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\26FAECAB15AD715CB7849E2211F9473B

Filesize
1KB

MD5
ddcf1be9dda4ac02d83e35d82bc37e86

SHA1
d260669c4c6e6a81d7df6b80bbac83832afec7ba

SHA256
3c6a00d5db8ac6a4cd2e66dde1fa4a54a1191c78ec916c98c7659286a1f32e2d

SHA512
8c2036fba1a390e763f34dda148d040a415fcc8bc8dbb025cecf5f495dad720212314b5e9277bd5964122e9bb9605fa1299ff7397902e71c461cfc42561b2563

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
1KB

MD5
ffe5057b57693f1b76ef6f98bef8b528

SHA1
c3a84a6481a6b41b9bb5172f43ed1afa44d00a7d

SHA256
d9767b34f95cee0652d44c5cf14a0ea005bbebc5c09ab8d881c863e7bcfe351a

SHA512
e6e51b43f6871a861891c49c6f03492b21eeb491ff06a09cf9e744355840c2c33365ce0dfc15b60e278ff13fb3c27a57d138f9a640edf540699f5cb142697aef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\26FAECAB15AD715CB7849E2211F9473B

Filesize
230B

MD5
b3ecf502eb2b9f280d036c851f437b4a

SHA1
8e48cd6ebcd23d12406dce50551770a966640856

SHA256
81ab9c3a60396529b9c2a5a7cbaead6a50cdf91f3a84729028ca52375550bd5b

SHA512
ae247c7da70dbdd9b6624e1a9524cc130483d8ee817030393d6cbdede5610ec3d9775bdf17ff9f77e20bbaf44e6cb78c76086fdb63d8b11c6d125e6e695b093a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

Filesize
492B

MD5
459aced7e1966c402d9ae121c8bd82b2

SHA1
7ef1a73185555f4126d240a4421b63c950e68f12

SHA256
46d14a3ed635d7da3bbf5549c52d206fd75876096c45d2cb91a8abd98ac38db1

SHA512
2cf76cf4e584a9f8cfca8f1688c915dc7ccb428a07ab7bf7e84bb4c571154a2b7e9bf9131e47c9d7d14fe8cd8cd3020ab1fa35b9bc4718c8ab8315160a6dcf1e

Download Submit
C:\Users\Public\Downloads\HipsMain.exe

Filesize
99KB

MD5
47f50639284044b6bec3810a8bb868c9

SHA1
45f25bc4ff6dfda9309251212792c0c963d1ae0e

SHA256
b074c3558da627a4c8ec43102b8630fccdd882c1b5f4631e92c654cbca9c478e

SHA512
d2bd265a82334a4464cad79261d2a9950e66c7f3e606b2d8df3332b325a0c9684216d439b96b2b5cd6de1ff3e4d9535530fa62a6a13c8c30525d6a77c55ca061

Download Submit
C:\Users\Public\Downloads\HipsMain.exe

Filesize
99KB

MD5
47f50639284044b6bec3810a8bb868c9

SHA1
45f25bc4ff6dfda9309251212792c0c963d1ae0e

SHA256
b074c3558da627a4c8ec43102b8630fccdd882c1b5f4631e92c654cbca9c478e

SHA512
d2bd265a82334a4464cad79261d2a9950e66c7f3e606b2d8df3332b325a0c9684216d439b96b2b5cd6de1ff3e4d9535530fa62a6a13c8c30525d6a77c55ca061

Download Submit
C:\Windows\Temp\word.doc

Filesize
21KB

MD5
9ce7d42b72c557326b42a2d90c2d8e63

SHA1
8e38997043453854260c4d85c200922d7796b439

SHA256
93c22ab0c86577f815bcaacaf1da886fd3c25b2881b3d42db804e5fe78e79c79

SHA512
592eb6c97cb40d87414efadfa65711d15b5ed0e68d8e624251beb1dce7d0c78b0258fbcad78b8f92e06f82cbcb0dca073e75d38b6684b9b6a632b65c093b3d5c

Download Submit
memory/4508-150-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-139-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-140-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-144-0x00007FFB41A60000-0x00007FFB41A70000-memory.dmp

Filesize
64KB

Download
memory/4508-142-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-138-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-143-0x00007FFB41A60000-0x00007FFB41A70000-memory.dmp

Filesize
64KB

Download
memory/4508-141-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-153-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-152-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4508-151-0x00007FFB44010000-0x00007FFB44020000-memory.dmp

Filesize
64KB

Download
memory/4776-148-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/4776-147-0x0000000000400000-0x0000000000AE3000-memory.dmp

Filesize
6.9MB

Download
memory/4776-146-0x00000200D7BD0000-0x00000200D824E000-memory.dmp

Filesize
6.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads