Overview

overview

10

Static

static

791f85acd6...a7.exe

windows7-x64

10

791f85acd6...a7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    152s
  • max time network
    169s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 02:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7.exe

  • Size

    18KB

  • MD5

    9eadf7f4b39bb189b8025eacb883fa78

  • SHA1

    5708d5c2e9fc4adc3bb5c0dfaf53785b0708face

  • SHA256

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7

  • SHA512

    bbd46731e00555163f13cf6997038aaab7b7fa8ed9ffe95a22f0511c26758b8852ab694a8ff8e84a6fdf1b2bbc59b96730068b621804cabb67d84aa3e1d1f6a6

  • SSDEEP

    384:yp8GQKhqticjYNhNoT84bCecusshb1vcWLr2amWvWUEzB1My/:nwhqticooZjcusshBLr2afEt1b

Score
10/10
jokerinfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 60 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7.exe
    "C:\Users\Admin\AppData\Local\Temp\791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://www.18hi.net/
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:275457 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:320
    • C:\Windows\system\PHIME2OO2A.EXE
      "C:\Windows\system\PHIME2OO2A.EXE"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer start page
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    6c6a24456559f305308cb1fb6c5486b3

    SHA1

    3273ac27d78572f16c3316732b9756ebc22cb6ed

    SHA256

    efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

    SHA512

    587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    199c848e9056abc5346c7cc1d42fdffa

    SHA1

    2d476f0895ba3bee4a03a905559b779522aad6a7

    SHA256

    ee8295929fc376e429c050239d791ca86e195ccba72477c5374af4f2d0cb0b05

    SHA512

    c35abef11139abcdcb31654cada6579fba968561925a2392d7792027a0c4ae070aef404e98b84b5e674adbb5b620386e2b03f340d3480748f0477b98b10024da

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
    Filesize

    5KB

    MD5

    455341c7d32a10a0baaaf5b788529357

    SHA1

    666af4bab5e2e3a91185a22a5ff461d24281d758

    SHA256

    da4dbbfa27eb8a780017e37e6835172e258106321fd058d790af965992a65ac0

    SHA512

    74435d3abbd2ea2a6ceae57144199c36b50f9217f9bb73d7c563bec2d5b80b07df8ab8bff0ea433fe8929f1d7cf5a7b5fab7a428eb5b20d0f64eef13bb5b5438

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\FXDC6S6J.txt
    Filesize

    608B

    MD5

    be88ae70e67015a4eeaeb40f493a63fc

    SHA1

    17de4335c4ec5b7d688b16d3650d8cbee5e3c9f4

    SHA256

    c94e24dc3ce7a9d95904e2e2084286017807a2750106c85c0b05611f3c6d202c

    SHA512

    a51507ba3088f09b72df3398b06405a00ff4ef17cbf59aeb7d9e56dc68ac16dfffcde68309dd42c5178cad9a5808844e2583b4884277b389547790c906576108

    Download Submit

  • C:\Windows\system\PHIME2OO2A.EXE
    Filesize

    18KB

    MD5

    9eadf7f4b39bb189b8025eacb883fa78

    SHA1

    5708d5c2e9fc4adc3bb5c0dfaf53785b0708face

    SHA256

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7

    SHA512

    bbd46731e00555163f13cf6997038aaab7b7fa8ed9ffe95a22f0511c26758b8852ab694a8ff8e84a6fdf1b2bbc59b96730068b621804cabb67d84aa3e1d1f6a6

    Download Submit

  • C:\Windows\system\PHIME2OO2A.EXE
    Filesize

    18KB

    MD5

    9eadf7f4b39bb189b8025eacb883fa78

    SHA1

    5708d5c2e9fc4adc3bb5c0dfaf53785b0708face

    SHA256

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7

    SHA512

    bbd46731e00555163f13cf6997038aaab7b7fa8ed9ffe95a22f0511c26758b8852ab694a8ff8e84a6fdf1b2bbc59b96730068b621804cabb67d84aa3e1d1f6a6

    Download Submit

  • \Windows\system\PHIME2OO2A.EXE
    Filesize

    18KB

    MD5

    9eadf7f4b39bb189b8025eacb883fa78

    SHA1

    5708d5c2e9fc4adc3bb5c0dfaf53785b0708face

    SHA256

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7

    SHA512

    bbd46731e00555163f13cf6997038aaab7b7fa8ed9ffe95a22f0511c26758b8852ab694a8ff8e84a6fdf1b2bbc59b96730068b621804cabb67d84aa3e1d1f6a6

    Download Submit

  • \Windows\system\PHIME2OO2A.EXE
    Filesize

    18KB

    MD5

    9eadf7f4b39bb189b8025eacb883fa78

    SHA1

    5708d5c2e9fc4adc3bb5c0dfaf53785b0708face

    SHA256

    791f85acd61443d522c32d8c21e3f447dfcfb50a60ebce3cf026b409df8222a7

    SHA512

    bbd46731e00555163f13cf6997038aaab7b7fa8ed9ffe95a22f0511c26758b8852ab694a8ff8e84a6fdf1b2bbc59b96730068b621804cabb67d84aa3e1d1f6a6

    Download Submit

  • memory/996-64-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/996-56-0x0000000075E11000-0x0000000075E13000-memory.dmp

    Filesize

    8KB

    Download

  • memory/996-57-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download

  • memory/1540-66-0x0000000000400000-0x0000000000411000-memory.dmp

    Filesize

    68KB

    Download