Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-09-2022 00:01
General
-
Target
a23a6c4af10ac9eb38c1422fb7368958a41662bd52a157c63217c117f31dfade.exe
-
Size
74KB
-
MD5
0437b59f19460ba53d1f033cbb8a9fa6
-
SHA1
2baa467d0d736d331fdd59404099efe2786035d6
-
SHA256
a23a6c4af10ac9eb38c1422fb7368958a41662bd52a157c63217c117f31dfade
-
SHA512
da6bf2d6e34dcbf5f478bc06ab95814ada5569fc5a10eeb75692ae7385f4173a48600714039ad054c982ca1d1032660e6e7eb09fbc95342df84a2713da48b7c1
-
SSDEEP
1536:8+py7ZZA7zCCt4aUXrLOyJMf6IGv7U7jjcDSEYUu3LIxL3sgH2KRKpzZ:882kj4aUXr+wDU78DhYYxLzeZ
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 2 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 19 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a23a6c4af10ac9eb38c1422fb7368958a41662bd52a157c63217c117f31dfade.exe"C:\Users\Admin\AppData\Local\Temp\a23a6c4af10ac9eb38c1422fb7368958a41662bd52a157c63217c117f31dfade.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files\FreeRapid\loader.tmp"C:\Program Files\FreeRapid\loader.tmp"2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c afc9fe2f418b00a0.bat3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\socketmouse1.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat3⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4312 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?r"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?r"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\PROGRA~1\FREERA~1\tmp5⤵
- Sets file to hidden
- Drops file in Program Files directory
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 C:\Progra~1\FreeRapid\1.bin,MainLoad5⤵
- Loads dropped DLL
- Drops file in Program Files directory
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl2AEA.tmpC:\Users\Admin\AppData\Local\Temp\inl2AEA.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl2AEA.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A23A6C~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD52b99b7f66b8ebba3071330bcbaccc022
SHA11a79cdcdd4dd3c9e22b45acdbc20a51da5f23e52
SHA2563ed44f8ec4dd76cadb989353a1ed4a578d93fbba2eb0997443000384e2fb7f09
SHA51203671ec8fbe45df652bddf47141fd017cfd86b25c034608be23eb82035b3e7504765d4fdc9c42e1bbb3de4b132476a5e7156d83fe1982be283c9ea51e9cc8671
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD533a04456ee815ae4a4cdafc50e0c6910
SHA169c8d3408e9c88ce3300b377a5acd0e13aec2b0f
SHA25647bc8bd2bae6685b6d66bd8b5ed945214ac37a934a7e6ae3c0f1f85192e965f5
SHA5124f61b3d6e3923d491f60dc9602b39f14a485f8d4f7c2122b7ee4c831d1620689c70c99d52212306969d850c9607c61c69bb96ea7fe922d9d7feab7eae90d2afd
-
Filesize
230B
MD5f6dcb2862f6e7f9e69fb7d18668c59f1
SHA1bb23dbba95d8af94ecc36a7d2dd4888af2856737
SHA256c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c
SHA512eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75
-
Filesize
5.8MB
MD5816ed20570041eee5295f5d19f2e9d01
SHA172f883ecb275e124301fda12b92f15423f1b8576
SHA2564ab8dbb9b33642dd663ccaf7d95e281fdf5fc8c48ccea3a3793dcf7f81f7ce37
SHA512545d5ca03bdf5317deb48c5b375951333a7d77678259c19f3c8aabda6796b6dded11474127c4454ea3892f89df569731e400e64ebca5c43a69498e6a8155361a
-
Filesize
57.2MB
MD5987cb96ad4ce1361a1c3ea51af40e1bf
SHA13af65378c6025413acfdbd9032f4e5230151bfc5
SHA256a79edfd0acfccca779c7ff19b30eb13f51fbdbbd2d739d9e73d5c56296e6ef6d
SHA5120e995c79f725f89b020e775db612b249fff0c98d32a58e37193e940d48c78a90a0cbacd3083e05f07a0488bf04af0fac84eb754461fcb3ba154b2eb101b18889
-
Filesize
57.3MB
MD5c91abb8bbd2c13e5f08a1ab03ad91ac8
SHA146b1f0f58cdf90aa5f2bd546d33ee95c8d43e215
SHA2564c504af191c883a082b6fd0691f37e5661c74985bc1f6822011dfcbe58775f28
SHA512fa54658182b0331eaefa04cb952eb1583931a951406299bffbadbe85f651791ab6265774c7aa37bb6005b2de428109b9aa0cbbbb955db84843857fa7f041f609
-
Filesize
57.3MB
MD5c91abb8bbd2c13e5f08a1ab03ad91ac8
SHA146b1f0f58cdf90aa5f2bd546d33ee95c8d43e215
SHA2564c504af191c883a082b6fd0691f37e5661c74985bc1f6822011dfcbe58775f28
SHA512fa54658182b0331eaefa04cb952eb1583931a951406299bffbadbe85f651791ab6265774c7aa37bb6005b2de428109b9aa0cbbbb955db84843857fa7f041f609
-
Filesize
57.2MB
MD5987cb96ad4ce1361a1c3ea51af40e1bf
SHA13af65378c6025413acfdbd9032f4e5230151bfc5
SHA256a79edfd0acfccca779c7ff19b30eb13f51fbdbbd2d739d9e73d5c56296e6ef6d
SHA5120e995c79f725f89b020e775db612b249fff0c98d32a58e37193e940d48c78a90a0cbacd3083e05f07a0488bf04af0fac84eb754461fcb3ba154b2eb101b18889
-
Filesize
471B
MD51520b1f0e8660cc8553264ce46871efd
SHA170c43f2c0b7599f782461590f8e1650a2df5dbfe
SHA2568bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e
SHA5126ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0
-
Filesize
404B
MD5990a4f34541ed6f6c28fa8ed65871c27
SHA16acbac43de512a37ea8da42a6cc0aa91e58b9ed2
SHA256c5919a20effc093e2a5547f522f6d4e1fbe5ae7325080c4a0279657389a4867b
SHA512a5584a6dfd63816b87b1a49ac90902ec42bc9722578d71dce51b0b036ee2acfa41959835328064ccda23202c76f26fdc810c18e6ebdfc67886fffc397e8ad3db
-
Filesize
1KB
MD56d1243122894ef0bed1052c81c0cd3d4
SHA1bb991babac902517b641acdc984c53b5cafb8cf0
SHA2566179e36d8e291850bb181ff20f7eeede05d4847c8f77d2d75f98fe8ef5709d42
SHA512b2ecee33230a2613b1b61a85ebd784199b542388b99181065278184830a257950e98be8dae9807ccd27ddc48479c50112acd9c18c723575b89b1bdcb17d8d038
-
Filesize
2KB
MD5be9c2a6c4473d5ff3130700864019244
SHA1bd964f122e7715e3fce78dcbbc2118cc85f42053
SHA2568f07137e93b92f7942caa3cca96b3c66d390aa8aaf9bc112d3b132948c61c5bd
SHA512b4810796fad38757315c6d21b03f7cc13777fc928d32f0222208f460f7a515d626837d460dbcd2c0959f1ba383f60a395724325cd7a8d0b8c53538a0a4b16cbc
-
Filesize
57.2MB
MD5bda5044e31a7eb5907fc4da507d1eb5d
SHA12831e9d0de5771eb05989ca289f626feaceee0c9
SHA256fe359fdf3518ee00f2bdc8e6f4641a0b9fc99fbb6ad11debac34af850c021880
SHA5128dbaedec5d8fe4d4ee04fee142cfa64a864ddcb420c4c388af50c65017c7b4110576a46886433266d018bd5657d75e9121f12720e46e35d98065f023de1c2244
-
Filesize
57.2MB
MD5bda5044e31a7eb5907fc4da507d1eb5d
SHA12831e9d0de5771eb05989ca289f626feaceee0c9
SHA256fe359fdf3518ee00f2bdc8e6f4641a0b9fc99fbb6ad11debac34af850c021880
SHA5128dbaedec5d8fe4d4ee04fee142cfa64a864ddcb420c4c388af50c65017c7b4110576a46886433266d018bd5657d75e9121f12720e46e35d98065f023de1c2244
-
Filesize
36B
MD50b53221b1332efb76ebd2ab7120ff78f
SHA1e3dda4d21e35819eaf50e50c2aab2950ff1505b5
SHA25605bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388
SHA512877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd
-
Filesize
631B
MD50b92bb1f3b9141d221dfedfcc5a59527
SHA18d0a11d39776442b53436490284dc460137d3e7a
SHA2565ad1f9cc4cff9a7d07bf72edc9ce2ccb0e75a6bb8038ab92a27a54914d560a99
SHA512e3472c917c7ac2657f4ceb3bf8d1cdabca72bc0090ce2d33b3c334d86ad4cb8b68e109d936f6d99b38dd8d44bcd2e2e152d3292c10c77461e79bb13b2db04205
-
Filesize
36KB
-
Filesize
40KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
12KB