joker | 1a33f9068e0231e2e283649948e95818168641c0dcde5ac59ffa8de5c0049381

Analysis

max time kernel
68s
max time network
162s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-08-2022 15:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

修改器/游戏.电影菜单.exe
Size

4.3MB
MD5

723fac5412b21bd330f029f25394940f
SHA1

518448403cbdc762981d04c1267f95cf1f3a7c81
SHA256

e4b04016d16b94c4822d501ccce906c2119bfe7f535b15985eb070af2aef6cf6
SHA512

54ca7b4fd23d5e2a6c23828aa54eac52f4931f94ecf4acd387e12917142287305035752d227e3cf746489fef9332e18437427b7efc667ce919d66fea95ae8af0
SSDEEP

98304:N8XJC/xyLVUuzA2aJQd2zd5KseDtdD6Pq9L9vnoPGWzC+2vIHD:NUJC2VUcamUpMT6yL9voPGCCLY

Score

10^/10

joker discovery infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Executes dropped EXE 2 IoCs

pid	Process
1336	游戏.电影菜单.tmp
1568	Games.exe

Loads dropped DLL 5 IoCs

pid	Process
1388	游戏.电影菜单.exe
1336	游戏.电影菜单.tmp
1336	游戏.电影菜单.tmp
1336	游戏.电影菜单.tmp
1336	游戏.电影菜单.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Games.exe
File opened (read-only)	\??\W:	Games.exe
File opened (read-only)	\??\X:	Games.exe
File opened (read-only)	\??\E:	Games.exe
File opened (read-only)	\??\G:	Games.exe
File opened (read-only)	\??\I:	Games.exe
File opened (read-only)	\??\J:	Games.exe
File opened (read-only)	\??\K:	Games.exe
File opened (read-only)	\??\Z:	Games.exe
File opened (read-only)	\??\V:	Games.exe
File opened (read-only)	\??\Y:	Games.exe
File opened (read-only)	\??\A:	Games.exe
File opened (read-only)	\??\B:	Games.exe
File opened (read-only)	\??\P:	Games.exe
File opened (read-only)	\??\Q:	Games.exe
File opened (read-only)	\??\S:	Games.exe
File opened (read-only)	\??\H:	Games.exe
File opened (read-only)	\??\M:	Games.exe
File opened (read-only)	\??\N:	Games.exe
File opened (read-only)	\??\O:	Games.exe
File opened (read-only)	\??\F:	Games.exe
File opened (read-only)	\??\R:	Games.exe
File opened (read-only)	\??\T:	Games.exe
File opened (read-only)	\??\U:	Games.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1336	游戏.电影菜单.tmp
1336	游戏.电影菜单.tmp

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1568	Games.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1336	游戏.电影菜单.tmp

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1388 wrote to memory of 1336	1388	游戏.电影菜单.exe	26
PID 1336 wrote to memory of 1568	1336	游戏.电影菜单.tmp	28
PID 1336 wrote to memory of 1568	1336	游戏.电影菜单.tmp	28
PID 1336 wrote to memory of 1568	1336	游戏.电影菜单.tmp	28
PID 1336 wrote to memory of 1568	1336	游戏.电影菜单.tmp	28

C:\Users\Admin\AppData\Local\Temp\修改器\游戏.电影菜单.exe
"C:\Users\Admin\AppData\Local\Temp\修改器\游戏.电影菜单.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\is-1R5PD.tmp\游戏.电影菜单.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-1R5PD.tmp\游戏.电影菜单.tmp" /SL5="$60120,4060808,153088,C:\Users\Admin\AppData\Local\Temp\修改器\游戏.电影菜单.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1336
- - C:\Users\Admin\AppData\Local\Temp\修改器\Games.exe
    "C:\Users\Admin\AppData\Local\Temp\修改器\Games.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:1568

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-1R5PD.tmp\游戏.电影菜单.tmp

Filesize
1.5MB

MD5
f0c35c57e05395958aef0812955f36cd

SHA1
5e64b5e29f84e00cfbb8eb20a213fbfd8e6efc5b

SHA256
564c1ba7f298bebeb0cd299f0d157816f5ee4fa0fcd85ad8478f6b0ce6ee5e32

SHA512
f7b7f7999cd659ea011ddd18e73068d7fb444f6e559aaf568f4d252033980e0b7ab9e2f10a028d763f62035aad816391e26910fd446a7c1d80db23288555118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-1R5PD.tmp\游戏.电影菜单.tmp

Filesize
1.5MB

MD5
f0c35c57e05395958aef0812955f36cd

SHA1
5e64b5e29f84e00cfbb8eb20a213fbfd8e6efc5b

SHA256
564c1ba7f298bebeb0cd299f0d157816f5ee4fa0fcd85ad8478f6b0ce6ee5e32

SHA512
f7b7f7999cd659ea011ddd18e73068d7fb444f6e559aaf568f4d252033980e0b7ab9e2f10a028d763f62035aad816391e26910fd446a7c1d80db23288555118f

Download Submit
C:\Users\Admin\AppData\Local\Temp\修改器\Games.exe

Filesize
18.7MB

MD5
ec4fa2304daf43d2230c85ec365f58c7

SHA1
0adffbbd3e7f0dbd3dccdd6c6ab6365c74ec972b

SHA256
ac8bb80c4e75c03dfbaab50f00f5e921affc3e28636755f95dc37b538f4c9628

SHA512
79bcd6ce4da5864d496e85d1c3c87b2986489b20631a183fb4f915e4345fd9fa1025ad9d53dd94bce11f3ac4154f4283a7783ae7423390baa0789859fb285331

Download Submit
C:\Users\Admin\AppData\Local\Temp\修改器\Games.exe

Filesize
18.7MB

MD5
ec4fa2304daf43d2230c85ec365f58c7

SHA1
0adffbbd3e7f0dbd3dccdd6c6ab6365c74ec972b

SHA256
ac8bb80c4e75c03dfbaab50f00f5e921affc3e28636755f95dc37b538f4c9628

SHA512
79bcd6ce4da5864d496e85d1c3c87b2986489b20631a183fb4f915e4345fd9fa1025ad9d53dd94bce11f3ac4154f4283a7783ae7423390baa0789859fb285331

Download Submit
\Users\Admin\AppData\Local\Temp\is-0EF1V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-0EF1V.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-1R5PD.tmp\游戏.电影菜单.tmp

Filesize
1.5MB

MD5
f0c35c57e05395958aef0812955f36cd

SHA1
5e64b5e29f84e00cfbb8eb20a213fbfd8e6efc5b

SHA256
564c1ba7f298bebeb0cd299f0d157816f5ee4fa0fcd85ad8478f6b0ce6ee5e32

SHA512
f7b7f7999cd659ea011ddd18e73068d7fb444f6e559aaf568f4d252033980e0b7ab9e2f10a028d763f62035aad816391e26910fd446a7c1d80db23288555118f

Download Submit
\Users\Admin\AppData\Local\Temp\修改器\Games.exe

Filesize
18.7MB

MD5
ec4fa2304daf43d2230c85ec365f58c7

SHA1
0adffbbd3e7f0dbd3dccdd6c6ab6365c74ec972b

SHA256
ac8bb80c4e75c03dfbaab50f00f5e921affc3e28636755f95dc37b538f4c9628

SHA512
79bcd6ce4da5864d496e85d1c3c87b2986489b20631a183fb4f915e4345fd9fa1025ad9d53dd94bce11f3ac4154f4283a7783ae7423390baa0789859fb285331

Download Submit
\Users\Admin\AppData\Local\Temp\修改器\Games.exe

Filesize
18.7MB

MD5
ec4fa2304daf43d2230c85ec365f58c7

SHA1
0adffbbd3e7f0dbd3dccdd6c6ab6365c74ec972b

SHA256
ac8bb80c4e75c03dfbaab50f00f5e921affc3e28636755f95dc37b538f4c9628

SHA512
79bcd6ce4da5864d496e85d1c3c87b2986489b20631a183fb4f915e4345fd9fa1025ad9d53dd94bce11f3ac4154f4283a7783ae7423390baa0789859fb285331

Download Submit
memory/1336-64-0x0000000074D21000-0x0000000074D23000-memory.dmp

Filesize
8KB

Download
memory/1388-67-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-72-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-54-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-57-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1388-55-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1568-77-0x0000000000320000-0x000000000032A000-memory.dmp

Filesize
40KB

Download
memory/1568-86-0x0000000000730000-0x0000000000738000-memory.dmp

Filesize
32KB

Download
memory/1568-75-0x0000000005F20000-0x0000000006546000-memory.dmp

Filesize
6.1MB

Download
memory/1568-76-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/1568-78-0x0000000006690000-0x0000000006740000-memory.dmp

Filesize
704KB

Download
memory/1568-79-0x0000000000410000-0x0000000000432000-memory.dmp

Filesize
136KB

Download
memory/1568-80-0x0000000000460000-0x0000000000470000-memory.dmp

Filesize
64KB

Download
memory/1568-81-0x0000000000470000-0x0000000000478000-memory.dmp

Filesize
32KB

Download
memory/1568-82-0x0000000000700000-0x0000000000732000-memory.dmp

Filesize
200KB

Download
memory/1568-83-0x0000000006740000-0x000000000688E000-memory.dmp

Filesize
1.3MB

Download
memory/1568-84-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1568-85-0x00000000004E0000-0x00000000004EA000-memory.dmp

Filesize
40KB

Download
memory/1568-73-0x0000000001110000-0x00000000023D0000-memory.dmp

Filesize
18.8MB

Download
memory/1568-87-0x0000000000A20000-0x0000000000A28000-memory.dmp

Filesize
32KB

Download
memory/1568-88-0x0000000000A30000-0x0000000000A38000-memory.dmp

Filesize
32KB

Download
memory/1568-89-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/1568-90-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/1568-91-0x0000000000BA0000-0x0000000000BA8000-memory.dmp

Filesize
32KB

Download
memory/1568-92-0x0000000000BB0000-0x0000000000BB8000-memory.dmp

Filesize
32KB

Download
memory/1568-93-0x0000000000BD0000-0x0000000000BD8000-memory.dmp

Filesize
32KB

Download
memory/1568-94-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/1568-95-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/1568-96-0x0000000000E25000-0x0000000000E36000-memory.dmp

Filesize
68KB

Download
memory/1568-97-0x0000000005BA0000-0x0000000005BA8000-memory.dmp

Filesize
32KB

Download
memory/1568-98-0x0000000000E10000-0x0000000000E1A000-memory.dmp

Filesize
40KB

Download
memory/1568-99-0x0000000000E25000-0x0000000000E36000-memory.dmp

Filesize
68KB

Download