Overview

overview

10

Static

static

0da04b28ba...b6.exe

windows7-x64

10

0da04b28ba...b6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 04:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0da04b28bae6ce3c0b62e1c3bda81fa001bf016cdc375eb234ad851cfb6af4b6.exe

  • Size

    57KB

  • MD5

    0d78c4a6febf4fec9088291e1e93836a

  • SHA1

    32457a451a63a1d3d95332c82e11b711877bfafd

  • SHA256

    0da04b28bae6ce3c0b62e1c3bda81fa001bf016cdc375eb234ad851cfb6af4b6

  • SHA512

    06912945293172bcee4d80c578e35c20eec0a918894d68e78811ade5a9f8db2d5830ff606328707fe5efc16fbaa5914c74593cdb783cb204a41be608faa71e35

  • SSDEEP

    768:iewE87j9Htl4XseDJRgVacu35yglPZ+BLWS2v6d634vAevTb0gzsg5utVue:DWkXt1EtMQshv6d44IePDIVz

Score
10/10
jokerevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 41 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\0da04b28bae6ce3c0b62e1c3bda81fa001bf016cdc375eb234ad851cfb6af4b6.exe
    "C:\Users\Admin\AppData\Local\Temp\0da04b28bae6ce3c0b62e1c3bda81fa001bf016cdc375eb234ad851cfb6af4b6.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\cowon2011_check.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1256
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?71628
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1664
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1664 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1420
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf
          4⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1104
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat
          4⤵
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:1400
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1472
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1724
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f
            5⤵
              PID:1520
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
              5⤵
              • Modifies registry class
              PID:436
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f
              5⤵
              • Modifies registry class
              PID:1948
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1056
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp
              5⤵
              • Sets file to hidden
              • Views/modifies file attributes
              PID:1628
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf
              5⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:1304
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                6⤵
                • Checks processor information in registry
                PID:1032
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  7⤵
                    PID:1828
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 D:\VolumeDH\inj.dat,MainLoad
                5⤵
                  PID:1712
          • C:\Users\Admin\AppData\Local\Temp\inl9E93.tmp
            C:\Users\Admin\AppData\Local\Temp\inl9E93.tmp
            2⤵
              PID:2560
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\0DA04B~1.EXE > nul
              2⤵
                PID:2700

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
              Filesize

              5KB

              MD5

              e2b0526de3d66d69abf5e04f354451bf

              SHA1

              2c49b904d5bd2a47112e1ded8a2ea558bd6727f0

              SHA256

              a60ed5cea25134e8771c4fbcb9384bb768dbf9c6d04c7fa1b49cb4335484b70a

              SHA512

              217bafbd9e7fc0fb5462085f31000855f787e54a27af36db65e55b5a7e0789fcab7eb66f1e748a195b116a46e0ceac44213bc130d6b772ca560341fd670f62fa

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cowon2011_check.bat
              Filesize

              53B

              MD5

              23962a245f75fe25510051582203aff1

              SHA1

              20832a3a1179bb2730194d2f7738d41d5d669a43

              SHA256

              1abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647

              SHA512

              dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\inl9E93.tmp
              Filesize

              97.8MB

              MD5

              e088ba8e0a2a2b79527fa223084b4a18

              SHA1

              9529145178c8e022331dec06c3516ef4b093366a

              SHA256

              7809ae821ea87632c1a8875cd4b140d1f6d2ffc008f5802e31dc5a4b086a152e

              SHA512

              803861795e56953e6cb972ffa2b9977f4ef066458c5f8943461fb3fdce9f340c7ee375299437da2108ce52cc6316fb86f7c0e768de3d73407c4523ba61070419

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp
              Filesize

              630B

              MD5

              def799e58a41b0cc7912581957c6b70b

              SHA1

              92b7b065250910aae63b782c8aa9548289b7d7d5

              SHA256

              d5c4b84330a5c67f8c86ee470c66ff8f52124f6dbcb29f939561c9013b5c6c20

              SHA512

              20be77f16b629d023a4456925ec3d093fd3f202f6b208dd42c878614248b78da52da0f5c004d06d7d4d1583291ce6901e9d8157eadf129b7032b2fb902eb1ce5

              Download Submit

            • C:\Users\Admin\AppData\Roaming\PPLive\1.bat
              Filesize

              3KB

              MD5

              286fe459674aef6eee17f6ac79a15fdb

              SHA1

              233dc43099c575a67b05fc1076e676324fd6e63d

              SHA256

              872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2

              SHA512

              c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314

              Download Submit

            • C:\Users\Admin\AppData\Roaming\PPLive\1.inf
              Filesize

              492B

              MD5

              34c14b8530e1094e792527f7a474fe77

              SHA1

              f71c4e9091140256b34c18220d1dd1efab1f301d

              SHA256

              fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

              SHA512

              25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

              Download Submit

            • C:\Users\Admin\AppData\Roaming\PPLive\2.bat
              Filesize

              3KB

              MD5

              d4917ae9072a10d8e12ef3b282b25b3b

              SHA1

              bd9ec6c6395997525ec7c15ecca2f115573cc14c

              SHA256

              6f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b

              SHA512

              c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\PPLive\2.inf
              Filesize

              247B

              MD5

              ca436f6f187bc049f9271ecdcbf348fa

              SHA1

              bf8a548071cfc150f7affb802538edf03d281106

              SHA256

              6cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534

              SHA512

              d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591

              Download Submit

            • C:\Users\Admin\AppData\Roaming\PPLive\4.bat
              Filesize

              12.3MB

              MD5

              b0e1b622368163eadc897373608e7b07

              SHA1

              fa6076db4b9970564a37c137ad79025703a09391

              SHA256

              f69badd2a6fa0b290608e0f8d265d79ff6cd435d92a02cd9c94539243f33fc0e

              SHA512

              0261814009ae3d5bb3008a851eb3db099b6c21493e17664c0d6f3429ace79b0516d655e869a21b97f7f0b0fa7ceba492b43cb67606911b0675c11ab4595da5f9

              Download Submit

            • \Users\Admin\AppData\Local\Temp\inl9E93.tmp
              Filesize

              100.9MB

              MD5

              60fed1448a749574c9fdd6f9603235eb

              SHA1

              b54b8a54071311c99b455e57cf70f6651f4cce51

              SHA256

              cd06c30bc157525a95cb7d350e08c158d4e679642faa8140cba4da7de84b1839

              SHA512

              3a24aeed0e67784603f4f0cd07f076bba0fd42172a3f18b2daa55763b73713a1d0625d39b90d5fc190bb221d9f9fdab3883e3b6075c6b852da6bd0d2d6d2aa5f

              Download Submit

            • \Users\Admin\AppData\Local\Temp\inl9E93.tmp
              Filesize

              100.4MB

              MD5

              eb2430fb201eff98afd17b3afd9b3536

              SHA1

              d365939088306a9626f5276966c313fb93b14f45

              SHA256

              2f99e9a1d18b84296099dffa74639c109909bf6cd6c5620af3954f7d6c2ee60e

              SHA512

              c9e1fa7cd42d7bcb8cfeca91662e0f3781060955cb0fb11bde7e7477421f777f554123df37ec2c38b345deb432feb5b9d1b179375d1d0134f2eb50e3530ed1c5

              Download Submit

            • memory/1668-75-0x0000000002BF0000-0x0000000002BFF000-memory.dmp

              Filesize

              60KB

              Download

            • memory/1668-54-0x0000000075071000-0x0000000075073000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1668-55-0x00000000003E0000-0x0000000000406000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1668-92-0x00000000003E0000-0x0000000000406000-memory.dmp

              Filesize

              152KB

              Download

            • memory/1668-56-0x0000000000020000-0x0000000000023000-memory.dmp

              Filesize

              12KB

              Download