Analysis
-
max time kernel
144s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-09-2022 00:00
General
-
Target
28f54c99f30d95afb0e39e84f50e95eff2d28f0ef581a0ca85ef85f14426f62b.exe
-
Size
164KB
-
MD5
e4efd05727da503cd4bd06139f0841f5
-
SHA1
5a59d48b04018e30c1b152fc0b884eb4a853f4e2
-
SHA256
28f54c99f30d95afb0e39e84f50e95eff2d28f0ef581a0ca85ef85f14426f62b
-
SHA512
0a1c24ab8823c31158980b3fc39f3fd9a1727e4f36cb3c16afcaafc7ec00b979f26245fab53d7641640e95d04a97818d52cbc3c46b8a502c55479558f9b31e87
-
SSDEEP
3072:TL+7Du+WxLPt0fyHJBpn5Fu1k42FEmGf8Y:TL+7i+yVdJBpn5sJ2FQJ
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 57 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\28f54c99f30d95afb0e39e84f50e95eff2d28f0ef581a0ca85ef85f14426f62b.exe"C:\Users\Admin\AppData\Local\Temp\28f54c99f30d95afb0e39e84f50e95eff2d28f0ef581a0ca85ef85f14426f62b.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\af2047_start.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlCCC8.tmpC:\Users\Admin\AppData\Local\Temp\inlCCC8.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\28F54C~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD51520b1f0e8660cc8553264ce46871efd
SHA170c43f2c0b7599f782461590f8e1650a2df5dbfe
SHA2568bb8dd5446da57093db31c10b4093a2378a9324f137d3eaa21ab0027e191c09e
SHA5126ad8d5f620738988286981654070c9a4e2542f629f4e5245381143a2a88c98922145759ff8d90546e1a617639a7dd335ddca4aba5435fb216c01c705bc4f0be0
-
Filesize
404B
MD551c4319207f7d3dcb699203ce81887d9
SHA153a71eae5296eaea2d4650ed071554c34d6222bb
SHA2560ff7ec42c62c444ea112d84f35df411324e03b179e6513b63d538568137d9f05
SHA5121cd07885e3f84d6081f5840ae9b92b6738fcbc31ea12125542b76974656e13e72fc8712f9451e6a0d4c0bbef68af2347a5431be62e1dc1a6987306de70654ac5
-
Filesize
1KB
MD5d2b087335d62e9441238ff0de546166e
SHA1fe229e786b59e708116254295c1cf64ba785678a
SHA2566239e3a14c4e5370f08c0cbf2d99f3d2abb0ff6ace5e545492aa1c9b5645bd69
SHA512d923c54e18ea7ac9980ca69b4216a397025766e62cb77f1f5e992a8e133dec4684fa79473642a404fe0913b23707b6e2449ac4ef5b5afad3e53065447581ac55
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
57.2MB
MD5bd5e7c89fff9d0e9a2ab6b2c1c619e9c
SHA19df7c89cced53190a5850ba1a7d9ebae92c1f56e
SHA2564341a6bd5a340949e560224e4fbe43d19d28ed1375f2010fb1f3a598c83b669d
SHA512fc1593b19d3eec4cc68a4ddb38d9d61db6a2882c921a9a209f5c36b40bcc630731108605533f8baa78fb054a2f58fe5d44e67f1f8a52977e7c73464b9cf39fab
-
Filesize
57.2MB
MD5bd5e7c89fff9d0e9a2ab6b2c1c619e9c
SHA19df7c89cced53190a5850ba1a7d9ebae92c1f56e
SHA2564341a6bd5a340949e560224e4fbe43d19d28ed1375f2010fb1f3a598c83b669d
SHA512fc1593b19d3eec4cc68a4ddb38d9d61db6a2882c921a9a209f5c36b40bcc630731108605533f8baa78fb054a2f58fe5d44e67f1f8a52977e7c73464b9cf39fab
-
Filesize
630B
MD5def799e58a41b0cc7912581957c6b70b
SHA192b7b065250910aae63b782c8aa9548289b7d7d5
SHA256d5c4b84330a5c67f8c86ee470c66ff8f52124f6dbcb29f939561c9013b5c6c20
SHA51220be77f16b629d023a4456925ec3d093fd3f202f6b208dd42c878614248b78da52da0f5c004d06d7d4d1583291ce6901e9d8157eadf129b7032b2fb902eb1ce5
-
Filesize
3KB
MD5286fe459674aef6eee17f6ac79a15fdb
SHA1233dc43099c575a67b05fc1076e676324fd6e63d
SHA256872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
5.8MB
MD5b4023946ae82f6e87d65a004676e5844
SHA14a07d173cd9460d7ea83bc957f203e324cae7efb
SHA2567a738e3f98a901a3a15f434f012bcc3280a85a54e72c080dfddca55d83df8264
SHA5124577a561edb1a991c600c5ed28939f2e21fd8ff194f7ac5c22cf07c80bbc6926c55b1b6686dd9081bb9318e390eb8efd78c50cd6e3f629ce7aa7717c7814bc0f
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB