joker | f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd

Analysis

max time kernel
72s
max time network
144s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
13-09-2022 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll
Size

441KB
MD5

28b46ec57a5718f69d3d4f6be0734bff
SHA1

33f3969772bb028973142b53df2ab4bf665cc9f8
SHA256

f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd
SHA512

da054bf34e54fb89fb280ce32966b21c37563231b3e23d9c92e38ae2b524fedd799ebb6ec4cba4b110ad90738f085cae7349fdfd6591b39f1f78fa14ef887456
SSDEEP

12288:ivk20fZkckJ+bFw3qlne22jdMuYeqWuC7kqL:sP0fZ+Juln5AMuk

Score

10^/10

joker purplefox infostealer rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 3 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral1/memory/1776-81-0x0000000010000000-0x00000000101BA000-memory.dmp	purplefox_rootkit
behavioral1/memory/1776-85-0x0000000000400000-0x000000000055C000-memory.dmp	purplefox_rootkit
behavioral1/memory/1776-88-0x0000000000400000-0x000000000055C000-memory.dmp	purplefox_rootkit

PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Blocklisted process makes network request 1 IoCs

Processes:

rundll32.exe

flow pid process

2 1188 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 3 IoCs

Processes:

server.exePaiPai.exeSetupUpdate.exe

pid process

1240 server.exe
432 PaiPai.exe
1776 SetupUpdate.exe
Loads dropped DLL 8 IoCs

Processes:

rundll32.exePaiPai.exeSetupUpdate.exe

pid process

1188 rundll32.exe
1188 rundll32.exe
1188 rundll32.exe
432 PaiPai.exe
432 PaiPai.exe
1776 SetupUpdate.exe
1776 SetupUpdate.exe
1776 SetupUpdate.exe

flow	pid	process
2	1188	rundll32.exe

pid	process
1240	server.exe
432	PaiPai.exe
1776	SetupUpdate.exe

pid	process
1188	rundll32.exe
1188	rundll32.exe
1188	rundll32.exe
432	PaiPai.exe
432	PaiPai.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SetupUpdate.exe

description	ioc	process
File opened (read-only)	\??\L:	SetupUpdate.exe
File opened (read-only)	\??\X:	SetupUpdate.exe
File opened (read-only)	\??\K:	SetupUpdate.exe
File opened (read-only)	\??\N:	SetupUpdate.exe
File opened (read-only)	\??\P:	SetupUpdate.exe
File opened (read-only)	\??\U:	SetupUpdate.exe
File opened (read-only)	\??\Z:	SetupUpdate.exe
File opened (read-only)	\??\E:	SetupUpdate.exe
File opened (read-only)	\??\I:	SetupUpdate.exe
File opened (read-only)	\??\G:	SetupUpdate.exe
File opened (read-only)	\??\J:	SetupUpdate.exe
File opened (read-only)	\??\O:	SetupUpdate.exe
File opened (read-only)	\??\R:	SetupUpdate.exe
File opened (read-only)	\??\S:	SetupUpdate.exe
File opened (read-only)	\??\B:	SetupUpdate.exe
File opened (read-only)	\??\F:	SetupUpdate.exe
File opened (read-only)	\??\Q:	SetupUpdate.exe
File opened (read-only)	\??\T:	SetupUpdate.exe
File opened (read-only)	\??\V:	SetupUpdate.exe
File opened (read-only)	\??\W:	SetupUpdate.exe
File opened (read-only)	\??\Y:	SetupUpdate.exe
File opened (read-only)	\??\H:	SetupUpdate.exe
File opened (read-only)	\??\M:	SetupUpdate.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

PaiPai.exe

description pid process target process

PID 432 set thread context of 1776 432 PaiPai.exe SetupUpdate.exe

description	pid	process	target process
PID 432 set thread context of 1776	432	PaiPai.exe	SetupUpdate.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SetupUpdate.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	SetupUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	SetupUpdate.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

SetupUpdate.exe

pid	process
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe
1776	SetupUpdate.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

rundll32.exerundll32.exePaiPai.exe

description	pid	process	target process
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1060 wrote to memory of 1188	1060	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 1240	1188	rundll32.exe	server.exe
PID 1188 wrote to memory of 1240	1188	rundll32.exe	server.exe
PID 1188 wrote to memory of 1240	1188	rundll32.exe	server.exe
PID 1188 wrote to memory of 1240	1188	rundll32.exe	server.exe
PID 1188 wrote to memory of 432	1188	rundll32.exe	PaiPai.exe
PID 1188 wrote to memory of 432	1188	rundll32.exe	PaiPai.exe
PID 1188 wrote to memory of 432	1188	rundll32.exe	PaiPai.exe
PID 1188 wrote to memory of 432	1188	rundll32.exe	PaiPai.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe
PID 432 wrote to memory of 1776	432	PaiPai.exe	SetupUpdate.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:1060

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll,#1
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Public\server.exe
C:\Users\Public\server.exe
3⤵
- Executes dropped EXE
PID:1240

C:\Users\Public\Downloads\PaiPai.exe
C:\Users\Public\Downloads\PaiPai.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:432

C:\Users\Public\Downloads\SetupUpdate.exe
C:\Users\Public\Downloads\SetupUpdate.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1776

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\Downloads\FreeImage.dll
Filesize
1.9MB

MD5
cb2f7be9029cd9a155b4de88334182b3

SHA1
6f52c2cfa5438ab4892755a4637bf3db36f464f3

SHA256
eb18fec61a505b13a398e745c5c2c3f4e2c70316692c1634afcd4e0c9b45b23f

SHA512
6fc83ae5d8f8115a89e0fc98364fd2f87c3d6b68cb8bc36cccf2766082c8656da754f8c0fd97f1db9620d7fa48de9b16262c410db2b9807de1c8197ffc194fdc

Download Submit
C:\Users\Public\Downloads\PaiPai.exe
Filesize
1.6MB

MD5
a0dca29a7d5486db22560b29c25a184d

SHA1
270b01b7ee6f7b400ee69720868c91b06218855d

SHA256
91987f25299e15b57827ede9d3e04375650bf4f9803a2789aee43001f3926b71

SHA512
e07fd297c6032c415f80df0293d8b2c6d9e4b45ba8e78d4159961dec834e0003752431b9558e7b7f98a4cee6c0112de741ccdf75457af68cacfcc042ae7fc4b6

Download Submit
C:\Users\Public\Downloads\PaiPai.exe
Filesize
1.6MB

MD5
a0dca29a7d5486db22560b29c25a184d

SHA1
270b01b7ee6f7b400ee69720868c91b06218855d

SHA256
91987f25299e15b57827ede9d3e04375650bf4f9803a2789aee43001f3926b71

SHA512
e07fd297c6032c415f80df0293d8b2c6d9e4b45ba8e78d4159961dec834e0003752431b9558e7b7f98a4cee6c0112de741ccdf75457af68cacfcc042ae7fc4b6

Download Submit
C:\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
C:\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
C:\Users\Public\server.exe
Filesize
2.7MB

MD5
10e8774916d82a34156e1d0ed8bd7c5d

SHA1
835929854ac44529ef68788e55a68ec7c00a81f9

SHA256
a95b756fe3ec40a51a9e1b15e1fdfcc34d3c1c50d0b0d35bce19abab2239cfa8

SHA512
f01ab5f7483915305f8c182643d39b087c0c1a6c5ef97015fb67176e980c0754a490492d3295a598ff56f82354963ed8ec80f933ac6404dcf4b0b88cfd36905e

Download Submit
C:\Users\Public\server.exe
Filesize
2.7MB

MD5
10e8774916d82a34156e1d0ed8bd7c5d

SHA1
835929854ac44529ef68788e55a68ec7c00a81f9

SHA256
a95b756fe3ec40a51a9e1b15e1fdfcc34d3c1c50d0b0d35bce19abab2239cfa8

SHA512
f01ab5f7483915305f8c182643d39b087c0c1a6c5ef97015fb67176e980c0754a490492d3295a598ff56f82354963ed8ec80f933ac6404dcf4b0b88cfd36905e

Download Submit
\Users\Public\Downloads\FreeImage.dll
Filesize
1.9MB

MD5
cb2f7be9029cd9a155b4de88334182b3

SHA1
6f52c2cfa5438ab4892755a4637bf3db36f464f3

SHA256
eb18fec61a505b13a398e745c5c2c3f4e2c70316692c1634afcd4e0c9b45b23f

SHA512
6fc83ae5d8f8115a89e0fc98364fd2f87c3d6b68cb8bc36cccf2766082c8656da754f8c0fd97f1db9620d7fa48de9b16262c410db2b9807de1c8197ffc194fdc

Download Submit
\Users\Public\Downloads\PaiPai.exe
Filesize
1.6MB

MD5
a0dca29a7d5486db22560b29c25a184d

SHA1
270b01b7ee6f7b400ee69720868c91b06218855d

SHA256
91987f25299e15b57827ede9d3e04375650bf4f9803a2789aee43001f3926b71

SHA512
e07fd297c6032c415f80df0293d8b2c6d9e4b45ba8e78d4159961dec834e0003752431b9558e7b7f98a4cee6c0112de741ccdf75457af68cacfcc042ae7fc4b6

Download Submit
\Users\Public\Downloads\PaiPai.exe
Filesize
1.6MB

MD5
a0dca29a7d5486db22560b29c25a184d

SHA1
270b01b7ee6f7b400ee69720868c91b06218855d

SHA256
91987f25299e15b57827ede9d3e04375650bf4f9803a2789aee43001f3926b71

SHA512
e07fd297c6032c415f80df0293d8b2c6d9e4b45ba8e78d4159961dec834e0003752431b9558e7b7f98a4cee6c0112de741ccdf75457af68cacfcc042ae7fc4b6

Download Submit
\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
\Users\Public\Downloads\SetupUpdate.exe
Filesize
420KB

MD5
e77d03a9f6d154a18657bab939312fb5

SHA1
834d04400dd6c09a0ef0aa98763127972f4b2b66

SHA256
f98f400c001eb2e5f4cef50379c62ea82cb6065755a03b4615cb30a12d6bbd4f

SHA512
be0f10ea3cff755a34c0ab2cc3b84058e1def4cab6eb49d3f7b903f245ed5e413215e5df73aad0dbc54001b4f1eacc15275e78abcb5e0f844840a01e596153a6

Download Submit
\Users\Public\server.exe
Filesize
2.7MB

MD5
10e8774916d82a34156e1d0ed8bd7c5d

SHA1
835929854ac44529ef68788e55a68ec7c00a81f9

SHA256
a95b756fe3ec40a51a9e1b15e1fdfcc34d3c1c50d0b0d35bce19abab2239cfa8

SHA512
f01ab5f7483915305f8c182643d39b087c0c1a6c5ef97015fb67176e980c0754a490492d3295a598ff56f82354963ed8ec80f933ac6404dcf4b0b88cfd36905e

Download Submit
memory/432-64-0x0000000000000000-mapping.dmp

Download
memory/1188-54-0x0000000000000000-mapping.dmp

Download
memory/1188-55-0x0000000074DC1000-0x0000000074DC3000-memory.dmp

Filesize
8KB

Download
memory/1240-57-0x0000000000000000-mapping.dmp

Download
memory/1776-74-0x0000000000551CE1-mapping.dmp

Download
memory/1776-73-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1776-71-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1776-81-0x0000000010000000-0x00000000101BA000-memory.dmp

Filesize
1.7MB

Download
memory/1776-85-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download
memory/1776-88-0x0000000000400000-0x000000000055C000-memory.dmp

Filesize
1.4MB

Download