Analysis
-
max time kernel
143s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2022 09:08
Behavioral task
behavioral1
Sample
f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll
Resource
win10v2004-20220812-en
General
-
Target
f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll
-
Size
441KB
-
MD5
28b46ec57a5718f69d3d4f6be0734bff
-
SHA1
33f3969772bb028973142b53df2ab4bf665cc9f8
-
SHA256
f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd
-
SHA512
da054bf34e54fb89fb280ce32966b21c37563231b3e23d9c92e38ae2b524fedd799ebb6ec4cba4b110ad90738f085cae7349fdfd6591b39f1f78fa14ef887456
-
SSDEEP
12288:ivk20fZkckJ+bFw3qlne22jdMuYeqWuC7kqL:sP0fZ+Juln5AMuk
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 19 3292 rundll32.exe -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
server.exepid process 3892 server.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4308 wrote to memory of 3292 4308 rundll32.exe rundll32.exe PID 4308 wrote to memory of 3292 4308 rundll32.exe rundll32.exe PID 4308 wrote to memory of 3292 4308 rundll32.exe rundll32.exe PID 3292 wrote to memory of 3892 3292 rundll32.exe server.exe PID 3292 wrote to memory of 3892 3292 rundll32.exe server.exe PID 3292 wrote to memory of 3892 3292 rundll32.exe server.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f01423868e8cfd624a899be442880d06bc0d30dff43b8a104276ea5400fe75fd.dll,#12⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\server.exeC:\Users\Public\server.exe3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Public\server.exeFilesize
2.7MB
MD510e8774916d82a34156e1d0ed8bd7c5d
SHA1835929854ac44529ef68788e55a68ec7c00a81f9
SHA256a95b756fe3ec40a51a9e1b15e1fdfcc34d3c1c50d0b0d35bce19abab2239cfa8
SHA512f01ab5f7483915305f8c182643d39b087c0c1a6c5ef97015fb67176e980c0754a490492d3295a598ff56f82354963ed8ec80f933ac6404dcf4b0b88cfd36905e
-
C:\Users\Public\server.exeFilesize
2.7MB
MD510e8774916d82a34156e1d0ed8bd7c5d
SHA1835929854ac44529ef68788e55a68ec7c00a81f9
SHA256a95b756fe3ec40a51a9e1b15e1fdfcc34d3c1c50d0b0d35bce19abab2239cfa8
SHA512f01ab5f7483915305f8c182643d39b087c0c1a6c5ef97015fb67176e980c0754a490492d3295a598ff56f82354963ed8ec80f933ac6404dcf4b0b88cfd36905e
-
memory/3292-132-0x0000000000000000-mapping.dmp
-
memory/3892-133-0x0000000000000000-mapping.dmp