Analysis
-
max time kernel
148s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
19-09-2022 04:21
General
-
Target
41b8d73634f16f56e3684388a9c1e39b090340774eb3c9cebe3302d317d219c4.exe
-
Size
57KB
-
MD5
619444aaaccb2409893d167eb6fdce91
-
SHA1
26431fa33a258eea1f5aca88f57a9c5874e18b4a
-
SHA256
41b8d73634f16f56e3684388a9c1e39b090340774eb3c9cebe3302d317d219c4
-
SHA512
9feef92dd0c85739e9b54de18190e6847d5219337ec967df139837100a72de97fb8e24b6e01dfab98f4c2725fe267dc0a9ab7c04c149140beb656f116e2a7c0d
-
SSDEEP
1536:6qF+qJB0ODqnmmmcLLWBPkUZ9vAbOu/Ys5MpmMe4O:RF5J2OGnmmJLtogOu+mMLO
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Deletes itself 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 47 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\41b8d73634f16f56e3684388a9c1e39b090340774eb3c9cebe3302d317d219c4.exe"C:\Users\Admin\AppData\Local\Temp\41b8d73634f16f56e3684388a9c1e39b090340774eb3c9cebe3302d317d219c4.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\kage2011_check.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1176 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlA0A6.tmpC:\Users\Admin\AppData\Local\Temp\inlA0A6.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\41B8D7~1.EXE > nul2⤵
- Deletes itself
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64.7MB
MD55a0df4a25dec84c281e5e8c1a054171b
SHA1600de91564a8b5a407b983f6c9eb47e7fcc01f17
SHA256d37e780e53a48a1c2f3425b830cedd85b259234b3556b4bdc282893a86626c89
SHA5121a4e85fb0c414eab67517f0a001c8e0d3ae81c72e2a86492f0eb948b8287761184a6c96d3e4ccf787b6823a0f25567378ff1f86e8329e1c1152405136e7d2a06
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
557B
MD560c54480fe85d58d72662fa3b1255f8f
SHA17e975bcf566b39ecffbf784231187ee8a753af88
SHA256c87185e8b06aceab6578bdadd26d32251353c882f126643567bc7619e8b02c76
SHA512299d36847b969c184151c83b59b88ac2322c2ee9d89643ae53994c2ae32299f45c8ace083e0c0cfbc4eb3136d16d57f126d4340b833140325deb4c980b93cf9a
-
Filesize
3KB
MD5286fe459674aef6eee17f6ac79a15fdb
SHA1233dc43099c575a67b05fc1076e676324fd6e63d
SHA256872cc596dc1fe6d5a131129bd84c2a76d6874e9c57ab2cd792d4d12b6f014fd2
SHA512c9acc4a134001da76e7ae6aa5ae65ce58501942dfc1f80959ae4db27c06010db753c9d115eedbe0b2b0e30dd5c4dcd1d32816493b053c65cee81d3a343c87314
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD553f92648225c8608a14a8cfb46cbb76d
SHA15ff3195292b298f6542525d8eb2ac949f2e17708
SHA256033463e38dae2ddaf36dbe067ffc1bc488ddf712200c1278d9bf28506a85abb8
SHA512637f8683ee7800f45a4ea1767d3cb8ed1c6fd89ca25d6e6ae4fc220fc5a3588d81721b749bdf4ee49c2e5d7790043eada3c8d053bb704c9f94042ca3cec332c0
-
Filesize
64.8MB
MD5f222e8de4c5a2d0f9a7b7226284a2173
SHA1a73fe1f82855f7f1bd78adfbb8b0fcd29c93fe3d
SHA2560ae67cef77463383679bcb26641b73d86648db5aff703c7674bae109fc08f531
SHA5124ad553fdfb737fa965508110e96821a877f096742eb22ce3c7fe89112ebf991307b39f23df6256c8df45d52d29ebdb4e3d5dc6d8135c5a49f2abccfb514c65fb
-
Filesize
68.4MB
MD5a457b7f9357949ed933f2c34ac95c6bc
SHA146f56479bad9ee39409e81e9ece83881630cd8c8
SHA25698da80466be9d492ad69b08b9e971e2b8fdfd4d3a0a3bd637ecf2c182cf794b4
SHA512857b46b2456c2bdf06f1d74ebc96c3799c3da7e7eee81f8b13018a853b9bfb6b8eeec5376dfc21a5e54b74ac422bcc6ed5fd15431ef0c416e9fcb970d77da553
-
Filesize
8KB
-
Filesize
64KB
-
Filesize
60KB
-
Filesize
8KB
-
Filesize
12KB
-
Filesize
152KB
-
Filesize
152KB