joker | f8fd8af179f1a0569216ad819a070b5ad16d8512e0b078563f20f831c828ffd3

Analysis

max time kernel
42s
max time network
46s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
09-08-2022 02:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aman_2.3.1.0806_1126.exe
Size

27.4MB
MD5

ddf0cd4a134f46857879d62d05e3c304
SHA1

ed1e96dcffc34d0f11851bde9cc3cbb9d0a4904f
SHA256

f8fd8af179f1a0569216ad819a070b5ad16d8512e0b078563f20f831c828ffd3
SHA512

ac867096fda2932d06f07379a99d0734ecfd8e301f79b568e5af4ecfca4f74213760edbbb9015259351f7ba0546aef8acb7d7b63879d5ea1966dcc500e83fc9f

Score

10^/10

joker infostealer trojan

Malware Config

Extracted

Family

joker

https://hw-gn.oss-accelerate.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 1 IoCs

pid	Process
1488	Install.exe

Loads dropped DLL 7 IoCs

pid	Process
1208	Aman_2.3.1.0806_1126.exe
1208	Aman_2.3.1.0806_1126.exe
1208	Aman_2.3.1.0806_1126.exe
1208	Aman_2.3.1.0806_1126.exe
1488	Install.exe
1488	Install.exe
1488	Install.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28
PID 1208 wrote to memory of 1488	1208	Aman_2.3.1.0806_1126.exe	28

C:\Users\Admin\AppData\Local\Temp\Aman_2.3.1.0806_1126.exe
"C:\Users\Admin\AppData\Local\Temp\Aman_2.3.1.0806_1126.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
367KB

MD5
e285df3666ea85ee23262bb1b0e9e2dc

SHA1
67c7484f0d5db30b87bac3ce9dba4123331eecef

SHA256
cbc0f4a2d8726e64313151372daeb354f2a6fbe6241d45e5410d134c3ca9362f

SHA512
a43b2ea9461de2a2948638fa2c2434afd44870693e57509c93b46e987cc996cc23889ca6fc3e285fcc9025e9c08adcf7114595e83bf58bb99866f326f3f4655b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Core.dll

Filesize
4.9MB

MD5
aa6ce2c97b80c323cbe9f86dbd6d263e

SHA1
089f6915aa650b0cc7dcc53a7e4365310523dd68

SHA256
85e29fd8a95f23a8af5ed0d0e93d18fcc30f95affbb75a1fcb20b873e8e5d8b0

SHA512
dd3e1684306624dbf0398021b1fa8833a348dec9271b5eb224c9a59877f832ce1aedb9c4f6ef84c061bf3585f3a5628e9f49296deab542b36ae3fa2230f3b417

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Gui.dll

Filesize
5.2MB

MD5
0906103e25f7349766fc6025c491aa5a

SHA1
350589ec1f12ba5f65afc263c10243e10a362287

SHA256
ba869785c14c4ace0924c123295a503a59cf90cc4da68e0c61c47187b3754fe6

SHA512
ab28b7c562a342c8cbc1dad5290c2c9d2e0678de871f8ae71163fdc6bd7458084481f84baeff3349f9f79c5f07fa3e20cea4553b163fcbec75709ddf599b808b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Widgets.dll

Filesize
4.4MB

MD5
07b30ed72326c030aae212224034bf28

SHA1
13283d6bd5e953a298ea2dd095bedb239dcd7961

SHA256
fae1cbde9e10955e8b0ff414e64020be20bf9d1d62e7c583b4510b60f363faf0

SHA512
228bf5d5adac1e6fb8eb4cdc75d60f44d1c81c2e5f44d1f04bb3929a06fc2ebbe33bc634a90d593d5892f75121d96a680fd988cb0b462bed82db7183c936fbf4

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
367KB

MD5
e285df3666ea85ee23262bb1b0e9e2dc

SHA1
67c7484f0d5db30b87bac3ce9dba4123331eecef

SHA256
cbc0f4a2d8726e64313151372daeb354f2a6fbe6241d45e5410d134c3ca9362f

SHA512
a43b2ea9461de2a2948638fa2c2434afd44870693e57509c93b46e987cc996cc23889ca6fc3e285fcc9025e9c08adcf7114595e83bf58bb99866f326f3f4655b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
367KB

MD5
e285df3666ea85ee23262bb1b0e9e2dc

SHA1
67c7484f0d5db30b87bac3ce9dba4123331eecef

SHA256
cbc0f4a2d8726e64313151372daeb354f2a6fbe6241d45e5410d134c3ca9362f

SHA512
a43b2ea9461de2a2948638fa2c2434afd44870693e57509c93b46e987cc996cc23889ca6fc3e285fcc9025e9c08adcf7114595e83bf58bb99866f326f3f4655b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
367KB

MD5
e285df3666ea85ee23262bb1b0e9e2dc

SHA1
67c7484f0d5db30b87bac3ce9dba4123331eecef

SHA256
cbc0f4a2d8726e64313151372daeb354f2a6fbe6241d45e5410d134c3ca9362f

SHA512
a43b2ea9461de2a2948638fa2c2434afd44870693e57509c93b46e987cc996cc23889ca6fc3e285fcc9025e9c08adcf7114595e83bf58bb99866f326f3f4655b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Install.exe

Filesize
367KB

MD5
e285df3666ea85ee23262bb1b0e9e2dc

SHA1
67c7484f0d5db30b87bac3ce9dba4123331eecef

SHA256
cbc0f4a2d8726e64313151372daeb354f2a6fbe6241d45e5410d134c3ca9362f

SHA512
a43b2ea9461de2a2948638fa2c2434afd44870693e57509c93b46e987cc996cc23889ca6fc3e285fcc9025e9c08adcf7114595e83bf58bb99866f326f3f4655b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Core.dll

Filesize
4.9MB

MD5
aa6ce2c97b80c323cbe9f86dbd6d263e

SHA1
089f6915aa650b0cc7dcc53a7e4365310523dd68

SHA256
85e29fd8a95f23a8af5ed0d0e93d18fcc30f95affbb75a1fcb20b873e8e5d8b0

SHA512
dd3e1684306624dbf0398021b1fa8833a348dec9271b5eb224c9a59877f832ce1aedb9c4f6ef84c061bf3585f3a5628e9f49296deab542b36ae3fa2230f3b417

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Gui.dll

Filesize
5.2MB

MD5
0906103e25f7349766fc6025c491aa5a

SHA1
350589ec1f12ba5f65afc263c10243e10a362287

SHA256
ba869785c14c4ace0924c123295a503a59cf90cc4da68e0c61c47187b3754fe6

SHA512
ab28b7c562a342c8cbc1dad5290c2c9d2e0678de871f8ae71163fdc6bd7458084481f84baeff3349f9f79c5f07fa3e20cea4553b163fcbec75709ddf599b808b

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Qt5Widgets.dll

Filesize
4.4MB

MD5
07b30ed72326c030aae212224034bf28

SHA1
13283d6bd5e953a298ea2dd095bedb239dcd7961

SHA256
fae1cbde9e10955e8b0ff414e64020be20bf9d1d62e7c583b4510b60f363faf0

SHA512
228bf5d5adac1e6fb8eb4cdc75d60f44d1c81c2e5f44d1f04bb3929a06fc2ebbe33bc634a90d593d5892f75121d96a680fd988cb0b462bed82db7183c936fbf4

Download Submit
memory/1208-54-0x00000000758D1000-0x00000000758D3000-memory.dmp

Filesize
8KB

Download