Overview

overview

10

Static

static

61f70c121d...95.exe

windows7-x64

10

61f70c121d...95.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    19-09-2022 04:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95.exe

  • Size

    2.4MB

  • MD5

    7c456017d18bcd67d119b1852e10ea9c

  • SHA1

    96fbe0db6d5730d5fda4cc3ee41c5b682a0ebb17

  • SHA256

    61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95

  • SHA512

    75f6e33dfc3ed694865710cf946789c2f1923bb70b6d8fe72f4ed0e32f315cb126350d7c1bd95d16d3f179b21d5b52583fb18e3ac4618a3a0bc42d32db7b178b

  • SSDEEP

    49152:6000irolqOGH78ChAaqBi2tSiDLz/FX/8zptVu25IkyjGY:f00i8qONCOaqBiqDLz/VUltk25Iky3

Score
10/10
jokeraspackv2evasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • ASPack v2.12-2.42 7 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Executes dropped EXE 5 IoCs
  • Modifies AppInit DLL entries 2 TTPs
    persistence
  • Modifies Installed Components in the registry 2 TTPs 3 IoCs
    persistence
  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 12 IoCs
  • Drops file in System32 directory 3 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95.exe
    "C:\Users\Admin\AppData\Local\Temp\61f70c121d427e2a7b2e70937b13099163675b51af23d0b0ec87ea312f021d95.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Users\Admin\AppData\Local\Temp\p.exe
      "C:\Users\Admin\AppData\Local\Temp\p.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:480
      • C:\Users\Admin\AppData\Local\Temp\p.exe
        C:\Users\Admin\AppData\Local\Temp\p.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • Suspicious use of WriteProcessMemory
        PID:1492
        • C:\WINDOWS\zoues\svchost.exe
          C:\WINDOWS\zoues\svchost.exe
          4⤵
          • Executes dropped EXE
          • Modifies Installed Components in the registry
          • Suspicious behavior: EnumeratesProcesses
          PID:848
    • C:\Users\Admin\AppData\Local\Temp\2071.exe
      "C:\Users\Admin\AppData\Local\Temp\2071.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://ad.tjchajian.com:82/ip.html?id=2071
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:884
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:884 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1740 -s 1004
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:3524
    • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
      "C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.1wly.com/
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:948
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:948 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:480

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    60KB

    MD5

    6c6a24456559f305308cb1fb6c5486b3

    SHA1

    3273ac27d78572f16c3316732b9756ebc22cb6ed

    SHA256

    efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

    SHA512

    587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    bccf916d9a0074ce94ba806c6caa0d78

    SHA1

    1d14f73805d6172363dd29681ebba7d19c20862d

    SHA256

    2589f3901660ef621b45a5e983e9cb847d3e737f3e2bc0c178f3f881ac996637

    SHA512

    74c2f25911ddfc3c58a5625304ee5a147a4086b62a422142c1dd27826caf44e9277de6b12637b5053e0a2eb94c409f2dcab1eebd10497ae33aca7741fb031b82

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{BACA6091-37EF-11ED-9166-DA7E66F9F45D}.dat
    Filesize

    5KB

    MD5

    125c9bfaf0d2c5df5e23d459624464fc

    SHA1

    20c2507eb74b75c8fe79cf8fe486431a62df0f88

    SHA256

    5cf3d9ce6ca764d5d256e5255e7d7b9fb735314d0c382c0916548361518df5a4

    SHA512

    2819b3bb6f9598254e24ffee3d97fc2be80653be763b1328bd5c90ae8ace1144abfceabd979689aa9f03e8733146e903a602ea333f0c3b383b4874b4916529aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\VA1TRIA7.txt
    Filesize

    608B

    MD5

    b3c140916e410474e90883c932e1a614

    SHA1

    1e22308f142e1ac163bda91a333df44fe9e028b2

    SHA256

    a872fa0dc54721c7d6c7aa62918d81c0cc58352f947b832ff8be0f8ed7f82d24

    SHA512

    eba985ea5945d3f3e0a3a6e427dd2c0f518cf801101de7240ddcfe1b7c3a2ae1e2a411822f8a953e6119aded0049cf88918ea4bb6c9f3170234f3d22da9b11a8

    Download Submit

  • C:\Windows\zoues\svchost.exe
    Filesize

    33KB

    MD5

    b8299a947177ce0dc668af3ff05c46fa

    SHA1

    e82e614cffffbfc2ff2b0f3130abd495cbf76b44

    SHA256

    ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

    SHA512

    f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

    Download Submit

  • \??\c:\WINDOWS\Help\windowsz32.txt
    Filesize

    39B

    MD5

    be563affdf84703821ba6e23d9ed6de7

    SHA1

    5d6d472ddcec06861872e9bf7d18589c4b37e982

    SHA256

    32d7619b9c9011c023d94e7c8d6fd234d85813d7ec7cf7cf3e74f45588c95ccc

    SHA512

    18e6016982f3b2a0a0b618a5e76b641303893a8d50f41a324c4e63254f7cb7e1c7fa6dd6a6f48753e34a633d268477638768bd3b8a897e8a8910d12457f4c685

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\2071.exe
    Filesize

    114KB

    MD5

    6a3403a72b8efaecf87009a0cdf709c7

    SHA1

    4db26c3d0ef07c6107278b7583365fe47da6c03f

    SHA256

    3f4b5cde4f217058f2914d18e52b5e744776079b161a6297518a87027076743d

    SHA512

    4c114d63fc10dbccff5811b545924dd07f1690ffa581e68faf5609955ad02791a1d83313cc52bb5e6ae7a0e2c784d257c7256c3b9c78c5927ed0709e32f02a51

    Download Submit

  • \Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • \Users\Admin\AppData\Local\Temp\p.exe
    Filesize

    33KB

    MD5

    a97b8231899c20daa06ca80a3962c6f4

    SHA1

    8b739b51d895b5134ec308d394067b7b44696be1

    SHA256

    04534e4a204a516e10353a7413cd1558a48968d2c6c1fa44eeb1486876556054

    SHA512

    45ae5b2742aa61eaa7d0526b1d6b60b620f36d93f4d95a122a531a247124e15f8fcc0151a6eacd9c4222849a7ffa629f2b37df15b10e936367d7092b267e5127

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • \Users\Admin\AppData\Local\Temp\ìÅÎèаÉÙÖúÊÖ3.0.9-1.23A(ÐĶ¯ÔöÇ¿).exe
    Filesize

    2.1MB

    MD5

    1ecd83f218fdfefa40d45cb2712ad43f

    SHA1

    05ffb62a400397d9f2006a6e960cfb78f830400a

    SHA256

    556df8ffc43510080a4ebc2ab998e5a46f909e65e18ee80d8f21276aabd4702f

    SHA512

    5f7cf59f8359cd1ec599c148dd39978fd209720d0b4b85b3eae9d2cdbb064d09adabdde751327d6d71024ba9c03b76b8d79e6ae61a7ea321b44de4779b13636d

    Download Submit

  • \Windows\SysWOW64\intel.dll
    Filesize

    142KB

    MD5

    5b6ae60afa76e99a591556ba5bdc0acb

    SHA1

    e3f12b7fe4337a55c9e859a5ceec95f749cf457b

    SHA256

    7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

    SHA512

    4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

    Download Submit

  • \Windows\SysWOW64\intel.dll
    Filesize

    142KB

    MD5

    5b6ae60afa76e99a591556ba5bdc0acb

    SHA1

    e3f12b7fe4337a55c9e859a5ceec95f749cf457b

    SHA256

    7a0cbe06ce186a11a3240015a9e7adc24db91a78f35170933efdc062aa1c4378

    SHA512

    4394f5f198eaf5315e4dba3a03204b9ef3fd4340ef7a98fa865c7dab15fe28d9586ac8cfe738ec60c9961437586d5deba25c6622e1f8af3c4e806022c236c98a

    Download Submit

  • \Windows\zoues\svchost.exe
    Filesize

    33KB

    MD5

    b8299a947177ce0dc668af3ff05c46fa

    SHA1

    e82e614cffffbfc2ff2b0f3130abd495cbf76b44

    SHA256

    ad46cf29d9a8568a66c2abc2561af34e2546d6c3009c7139b1a7761a0ce98ada

    SHA512

    f2b8d98592979073ba2ebd2de084485f1d1d1e8ff0d6b86a806ee2f105b7770836a0b3f77e569e8fecdb6c65c6aba08ed63b88c426dd873481eb6c792fccd939

    Download Submit

  • memory/1732-87-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1732-79-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1732-82-0x0000000000400000-0x0000000000856000-memory.dmp

    Filesize

    4.3MB

    Download

  • memory/1732-88-0x00000000770A0000-0x0000000077220000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1732-81-0x00000000770A0000-0x0000000077220000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1740-78-0x00000000010C0000-0x0000000001106000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1740-86-0x0000000000560000-0x0000000000570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1740-67-0x00000000010C0000-0x0000000001106000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1740-66-0x00000000010C0000-0x0000000001106000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1740-99-0x00000000010C0000-0x0000000001106000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1996-76-0x0000000002970000-0x00000000029B6000-memory.dmp

    Filesize

    280KB

    Download

  • memory/1996-77-0x0000000000400000-0x000000000066F123-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1996-54-0x0000000075281000-0x0000000075283000-memory.dmp

    Filesize

    8KB

    Download