Overview

overview

10

Static

static

wg.exe

windows7-x64

10

wg.exe

windows10-2004-x64

9

炫舞助�...��.exe

windows7-x64

10

炫舞助�...��.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    151s
  • max time network
    168s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    wg.exe

  • Size

    1.8MB

  • MD5

    5017e4642ffb6fed42235d37fab16273

  • SHA1

    91a00dfa17737092c79cce3002f6d428c4b47ed2

  • SHA256

    4b8bc86b3ba5dd3fb7ad3ca3f3f3e62af0e13679c3eb8cd630d36b03eabf7f6b

  • SHA512

    71dcb7efee14707a70e32c11d40b798b8a70f17b81548b52f67213bf2767d1d6deba570ef9b2668bc26c362964c9f5364af8ad88593e6d001627a0f83e28e058

  • SSDEEP

    49152:GZp4kJNahggTdaVS8wzZrhyL7Y6Xl55PA8DXl5IkyjGY:GZ+gMhfdaVS8otyw6r5PpDV5Iky3

Score
10/10
jokeraspackv2evasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 44 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\wg.exe
    "C:\Users\Admin\AppData\Local\Temp\wg.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1980
    • C:\Users\Admin\AppData\Local\Temp\p.exe
      "C:\Users\Admin\AppData\Local\Temp\p.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1312
      • C:\Users\Admin\AppData\Local\Temp\p.exe
        C:\Users\Admin\AppData\Local\Temp\p.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:968
        • C:\WINDOWS\zoues\svchost.exe
          C:\WINDOWS\zoues\svchost.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Suspicious behavior: EnumeratesProcesses
          PID:1380
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1540
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
          PID:2496
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1540 -s 1012
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:3268
      • C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
        "C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe"
        2⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1wly.com/
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:656
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1708
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:656 CREDAT:668679 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2592

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
      Filesize

      60KB

      MD5

      6c6a24456559f305308cb1fb6c5486b3

      SHA1

      3273ac27d78572f16c3316732b9756ebc22cb6ed

      SHA256

      efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

      SHA512

      587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      344B

      MD5

      500b35241a890e81aa5b32ee3a1d1fbd

      SHA1

      25c022529fb6a615328df18870db4a55db375c8b

      SHA256

      8607737a15ebe58b2829190210647cb63cecb9dece26917291e7020814256c22

      SHA512

      262a567c62e0238363043bc23271f40e0a2e943193e24277921ef67d957571ce0f0a98880002802cfebd7a52788c23b2b0cdba1e4be03f55320cde12aa0ce0bf

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      e413c1fd27c35177fb6533ba8d9af3b3

      SHA1

      77bab39078bb43857550869b3bfc137aa8e696c7

      SHA256

      859400e77c9ffcd2d4fa4177eeb9503202b6a8d668c1d9ea22e5d6381da4b9ae

      SHA512

      d47788392e1b1029274be99b247f79bec6228a2ca1906a231e6a6e60866e9b4baef1d4cab0acf088ab233b5d8ccb0cbefea8fb067ddd6d6607cda2f21a13ef2f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\p.exe
      Filesize

      33KB

      MD5

      a97b8231899c20daa06ca80a3962c6f4

      SHA1

      8b739b51d895b5134ec308d394067b7b44696be1

      SHA256

      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

      SHA512

      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\p.exe
      Filesize

      33KB

      MD5

      a97b8231899c20daa06ca80a3962c6f4

      SHA1

      8b739b51d895b5134ec308d394067b7b44696be1

      SHA256

      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

      SHA512

      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\p.exe
      Filesize

      33KB

      MD5

      a97b8231899c20daa06ca80a3962c6f4

      SHA1

      8b739b51d895b5134ec308d394067b7b44696be1

      SHA256

      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

      SHA512

      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
      Filesize

      1.6MB

      MD5

      1fbf2178409a4f816be8f766288e7439

      SHA1

      05800a7052e6196a704b71e252d3a639bd306724

      SHA256

      a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

      SHA512

      f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\94IS9PEH.txt
      Filesize

      111B

      MD5

      32c8e5ae81f81f2a95df29b6f935e2f8

      SHA1

      a90309cad4b233db43014120a40c36baa9685ab2

      SHA256

      818e37300aa62d420de5907fa322f44bb5dd5f7ede9ee779b36c67e579a9bec2

      SHA512

      d099bc7b24397867e3b80c5887f01d1d4b8d42557867da7b1a7be4e2dc2e65dbbab7cebdfdb9098e775136c353d0e1f685560c79bed25ecbd47356b17547a0c0

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\YERYJ0EB.txt
      Filesize

      608B

      MD5

      67cb5b0525d4688b28fe7227b7a5608c

      SHA1

      3f8d3cc9127bc4ba31ca5068ab3adf6a8b27f8ca

      SHA256

      0f18fd6e36646d13ec363e1290361472e4cdf37cafa2880b9681c12f038d60ac

      SHA512

      dc4f76de12c1600d3105eee7fb1890b139b4314e09d7968652e3e1d5757477f3441150c0736cb9ace73b7e818d7075bf3a459038b8e4b53cdae24add14ac84a6

      Download Submit

    • C:\Windows\zoues\svchost.exe
      Filesize

      33KB

      MD5

      b8299a947177ce0dc668af3ff05c46fa

      SHA1

      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

      SHA256

      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

      SHA512

      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

      Download Submit

    • \??\c:\WINDOWS\Help\windowsz32.txt
      Filesize

      39B

      MD5

      be563affdf84703821ba6e23d9ed6de7

      SHA1

      5d6d472ddcec06861872e9bf7d18589c4b37e982

      SHA256

      32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

      SHA512

      18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

      Download Submit

    • \Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\2071.exe
      Filesize

      114KB

      MD5

      6a3403a72b8efaecf87009a0cdf709c7

      SHA1

      4db26c3d0ef07c6107278b7583365fe47da6c03f

      SHA256

      3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

      SHA512

      4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

      Download Submit

    • \Users\Admin\AppData\Local\Temp\p.exe
      Filesize

      33KB

      MD5

      a97b8231899c20daa06ca80a3962c6f4

      SHA1

      8b739b51d895b5134ec308d394067b7b44696be1

      SHA256

      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

      SHA512

      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

      Download Submit

    • \Users\Admin\AppData\Local\Temp\p.exe
      Filesize

      33KB

      MD5

      a97b8231899c20daa06ca80a3962c6f4

      SHA1

      8b739b51d895b5134ec308d394067b7b44696be1

      SHA256

      04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

      SHA512

      45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
      Filesize

      1.6MB

      MD5

      1fbf2178409a4f816be8f766288e7439

      SHA1

      05800a7052e6196a704b71e252d3a639bd306724

      SHA256

      a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

      SHA512

      f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\ìÅÎèÖúÊֳ齱¹Ò3.0.9-BÃë³é°æ.exe
      Filesize

      1.6MB

      MD5

      1fbf2178409a4f816be8f766288e7439

      SHA1

      05800a7052e6196a704b71e252d3a639bd306724

      SHA256

      a02c27e0682c04806cc5055ea8dd942b5cb72f0f0954bfc87492abb8b019f2d8

      SHA512

      f113fe70c7aa67752f5567f67098642ab6753211f3cc6a65cadf1054e7c95d38510d6fc5b7600af7dcd4a256b53df70c5842212ba7fa01af2ec855ea49f294d3

      Download Submit

    • \Windows\SysWOW64\intel.dll
      Filesize

      142KB

      MD5

      5b6ae60afa76e99a591556ba5bdc0acb

      SHA1

      e3f12b7fe4337a55c9e859a5ceec95f749cf457b

      SHA256

      7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

      SHA512

      4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

      Download Submit

    • \Windows\SysWOW64\intel.dll
      Filesize

      142KB

      MD5

      5b6ae60afa76e99a591556ba5bdc0acb

      SHA1

      e3f12b7fe4337a55c9e859a5ceec95f749cf457b

      SHA256

      7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

      SHA512

      4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

      Download Submit

    • \Windows\zoues\svchost.exe
      Filesize

      33KB

      MD5

      b8299a947177ce0dc668af3ff05c46fa

      SHA1

      e82e614cffffbfc2ff2b0f3130abd495cbf76b44

      SHA256

      ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

      SHA512

      f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

      Download Submit

    • memory/1148-80-0x0000000077B10000-0x0000000077C90000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1148-82-0x0000000000400000-0x00000000007A2000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1148-86-0x0000000000400000-0x00000000007A2000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1148-87-0x0000000077B10000-0x0000000077C90000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1148-88-0x0000000077B10000-0x0000000077C90000-memory.dmp

      Filesize

      1.5MB

      Download

    • memory/1148-79-0x0000000000400000-0x00000000007A2000-memory.dmp

      Filesize

      3.6MB

      Download

    • memory/1540-85-0x00000000003E0000-0x00000000003F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1540-76-0x0000000000330000-0x0000000000376000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1540-71-0x0000000000330000-0x0000000000376000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1540-69-0x0000000000330000-0x0000000000376000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1540-101-0x0000000000330000-0x0000000000376000-memory.dmp

      Filesize

      280KB

      Download

    • memory/1980-54-0x0000000075831000-0x0000000075833000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1980-75-0x0000000000400000-0x00000000005C8B3B-memory.dmp

      Filesize

      1.8MB

      Download