Overview

overview

10

Static

static

4cf13e6374...ca.exe

windows7-x64

10

4cf13e6374...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    154s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2022 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4cf13e6374b590864851a7d078c6c0ca.exe

  • Size

    132KB

  • MD5

    4cf13e6374b590864851a7d078c6c0ca

  • SHA1

    7af06765aa146779df01a40dfa95eb666237205c

  • SHA256

    1634cd31bc5c8b50aa4efe86d8c5611cc15d2f6d7e9a4441d059189e1efd1cf5

  • SHA512

    06b6f67f054976d19b6dee7e6d6fb5181dd79450f10becf33e58251a482c1be969f6207138d8a8800ec80b827030b98da233628b42873d9993ca56f113f35c93

  • SSDEEP

    3072:z1i/NU8bOMYcYYcmy5K/40g3nan3vx9kGSYng76s5YmMOMYcYY51i/NU8m:Bi/NjO5u//g+UGSYnum3Oai/Nu

Score
10/10
jokerinfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 1 IoCs
  • Modifies Installed Components in the registry 2 TTPs 2 IoCs
    persistence
  • Deletes itself 1 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 52 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 7 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\4cf13e6374b590864851a7d078c6c0ca.exe
    "C:\Users\Admin\AppData\Local\Temp\4cf13e6374b590864851a7d078c6c0ca.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1884
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /im KSafeTray.exe /f
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1004
    • C:\WINDOWS\sys.exe
      "C:\WINDOWS\sys.exe"
      2⤵
      • Executes dropped EXE
      • Modifies Installed Components in the registry
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2024
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill.exe /im KSafeTray.exe /f
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:952
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ymtuku.com/xg/?tan
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:868
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:568
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1540
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\All Users\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:972
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:632
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\桌面\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1484
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\启动 Internet Explorer 浏览器.lnk"
          4⤵
          • Views/modifies file attributes
          PID:752
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1676
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1744
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1740
        • C:\Windows\SysWOW64\attrib.exe
          attrib +h "C:\Documents and Settings\Admin\「开始」菜单\程序\Internet Explorer.lnk"
          4⤵
          • Views/modifies file attributes
          PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c attrib +h "C:\WINDOWS\sys.exe"
        3⤵
          PID:1988
          • C:\Windows\SysWOW64\attrib.exe
            attrib +h "C:\WINDOWS\sys.exe"
            4⤵
            • Drops file in Windows directory
            • Views/modifies file attributes
            PID:340
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c attrib +h "c:\sys.exe"
          3⤵
            PID:956
            • C:\Windows\SysWOW64\attrib.exe
              attrib +h "c:\sys.exe"
              4⤵
              • Views/modifies file attributes
              PID:1000
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c del 4cf13e6374b590864851a7d078c6c0ca.exe
          2⤵
          • Deletes itself
          PID:2008

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
        Filesize

        60KB

        MD5

        6c6a24456559f305308cb1fb6c5486b3

        SHA1

        3273ac27d78572f16c3316732b9756ebc22cb6ed

        SHA256

        efc3c579bd619ceab040c4b8c1b821b2d82c64fddd9e80a00ec0d7f6577ed973

        SHA512

        587d4a9175a6aa82cd8bb1c11ca6508f95cd218f76ac322ddbd1bc7146a0e25f8937ee426a6fb0fb0bb045cedb24d8c8a9edfe9f654112f293d8701220f726b4

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        b86f035ae27db1b61679f5f46bc2a0ee

        SHA1

        52eae6f2ede4153b8e61b8070c3865ee1d3b4a28

        SHA256

        02ff28c083ac86e5a96fd16720e6acfca6624cd188a2cffc2d41d7d34cc18bbc

        SHA512

        c41bc9d0b2bf947e5b2c22d7dc1541ed79258fa314b1837af6c4be10fe7571fd1a2d53597a222f7342bc9b26350466a086cd917ddd3d4693ee1a6a391657e94c

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\lwrmjt1\imagestore.dat
        Filesize

        5KB

        MD5

        b7575818725635960229f5d576a67617

        SHA1

        5946cc06041b15ff8b6ea510cb3d98cd4f8d05a9

        SHA256

        7f365e1e4d0e64c2988dfd57192005b182e07c42db699f43abb412ff329168ef

        SHA512

        b13343555a9ae7be5f9fab924d49ba867d49ee6d09920295f13aa42f835c74d6e75fdca907bf6ab4e2c2dc82d51dc12b5b138e86166d36fe853ffcaad606ba2d

        Download Submit

      • C:\WINDOWS\sys.exe
        Filesize

        132KB

        MD5

        194894f26fc7b6799f5c142d7ef7cdae

        SHA1

        212ab422b954f1223bd4d107b2a77c3415434c51

        SHA256

        7d45453a87e0da2a3f3a09d78087dc4379a74c4809d425278849ccef483d70fd

        SHA512

        9b997d5e98e8cf3542b97da0f3d616aba9aa298e9a0962aa49b67bf9b456fad0b310aa556dd6b88a6e8231abe2695ab65820e9096d2afc6aea1d9f8735d8d17f

        Download Submit

      • C:\Windows\sys.exe
        Filesize

        132KB

        MD5

        194894f26fc7b6799f5c142d7ef7cdae

        SHA1

        212ab422b954f1223bd4d107b2a77c3415434c51

        SHA256

        7d45453a87e0da2a3f3a09d78087dc4379a74c4809d425278849ccef483d70fd

        SHA512

        9b997d5e98e8cf3542b97da0f3d616aba9aa298e9a0962aa49b67bf9b456fad0b310aa556dd6b88a6e8231abe2695ab65820e9096d2afc6aea1d9f8735d8d17f

        Download Submit

      • C:\sys.exe
        Filesize

        132KB

        MD5

        b1b306f45c3a6deac2c9ff36f8b3b952

        SHA1

        60f8f2064effbe115afc929915f35a06804f4344

        SHA256

        246f0f85c89b9bad8e3a55fb158cfa503f3b4ecf592384b5cfb1663c75367e0f

        SHA512

        471ed24ca31364fb3e414627b40b277c73b1a3af718c5aeb58759c95b14201871b2936d76649ef6f742633ca76beac29805c45572043ba2152d47f92ee16ed3b

        Download Submit

      • \??\c:\sys.exe
        Filesize

        132KB

        MD5

        b1b306f45c3a6deac2c9ff36f8b3b952

        SHA1

        60f8f2064effbe115afc929915f35a06804f4344

        SHA256

        246f0f85c89b9bad8e3a55fb158cfa503f3b4ecf592384b5cfb1663c75367e0f

        SHA512

        471ed24ca31364fb3e414627b40b277c73b1a3af718c5aeb58759c95b14201871b2936d76649ef6f742633ca76beac29805c45572043ba2152d47f92ee16ed3b

        Download Submit

      • memory/340-78-0x0000000000000000-mapping.dmp

        Download

      • memory/632-69-0x0000000000000000-mapping.dmp

        Download

      • memory/752-72-0x0000000000000000-mapping.dmp

        Download

      • memory/952-63-0x0000000000000000-mapping.dmp

        Download

      • memory/956-79-0x0000000000000000-mapping.dmp

        Download

      • memory/972-68-0x0000000000000000-mapping.dmp

        Download

      • memory/1000-80-0x0000000000000000-mapping.dmp

        Download

      • memory/1004-56-0x0000000000000000-mapping.dmp

        Download

      • memory/1484-70-0x0000000000000000-mapping.dmp

        Download

      • memory/1540-67-0x0000000000000000-mapping.dmp

        Download

      • memory/1640-71-0x0000000000000000-mapping.dmp

        Download

      • memory/1676-73-0x0000000000000000-mapping.dmp

        Download

      • memory/1740-75-0x0000000000000000-mapping.dmp

        Download

      • memory/1744-74-0x0000000000000000-mapping.dmp

        Download

      • memory/1772-76-0x0000000000000000-mapping.dmp

        Download

      • memory/1884-57-0x0000000076321000-0x0000000076323000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1988-77-0x0000000000000000-mapping.dmp

        Download

      • memory/2008-60-0x0000000000000000-mapping.dmp

        Download

      • memory/2024-58-0x0000000000000000-mapping.dmp

        Download