joker | 02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209

Analysis

max time kernel
151s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 05:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
Size

17.0MB
MD5

bfbafae712a2519347c52081b9fb7405
SHA1

77078981289753ef2ff37028955d79dd2ac9e8e0
SHA256

02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209
SHA512

7834ecae08e49c0bd96c0f859ae6383944ce5bdff6d10b1388be40ff9a74f0a7c146aad9eeb46dd078f86ebddd00882513d4b48e1454eb9e880724e2755f1322
SSDEEP

393216:evHD8CoewDNlEbuLWg1+aG55xjceYYnl0khim4zrWHD9R8+uNYRFC3:evHDV3nl0aMQY+uNYRg3

Score

10^/10

joker evasion infostealer oss_ak persistence trojan

Malware Config

Extracted

Family

joker

https://edrawcloudcn.oss-cn-shenzhen.aliyuncs.com

http://edrawcloudpubliccn.oss-cn-shenzhen.aliyuncs.com

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

detect oss ak 2 IoCs

oss ak information detected.

oss_ak

resource	yara_rule
behavioral1/files/0x0001000000022df4-140.dat	detect_ak_stuff
behavioral1/files/0x0001000000022df4-141.dat	detect_ak_stuff

Executes dropped EXE 6 IoCs

pid	Process
1476	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
4220	icsys.icn.exe
220	explorer.exe
3148	spoolsv.exe
3748	svchost.exe
1456	spoolsv.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	svchost.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe
4220	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
220	explorer.exe
3748	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
4220	icsys.icn.exe
4220	icsys.icn.exe
220	explorer.exe
220	explorer.exe
3148	spoolsv.exe
3148	spoolsv.exe
3748	svchost.exe
3748	svchost.exe
1456	spoolsv.exe
1456	spoolsv.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3248 wrote to memory of 1476	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	86
PID 3248 wrote to memory of 1476	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	86
PID 3248 wrote to memory of 1476	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	86
PID 3248 wrote to memory of 4220	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	87
PID 3248 wrote to memory of 4220	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	87
PID 3248 wrote to memory of 4220	3248	02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe	87
PID 4220 wrote to memory of 220	4220	icsys.icn.exe	88
PID 4220 wrote to memory of 220	4220	icsys.icn.exe	88
PID 4220 wrote to memory of 220	4220	icsys.icn.exe	88
PID 220 wrote to memory of 3148	220	explorer.exe	89
PID 220 wrote to memory of 3148	220	explorer.exe	89
PID 220 wrote to memory of 3148	220	explorer.exe	89
PID 3148 wrote to memory of 3748	3148	spoolsv.exe	92
PID 3148 wrote to memory of 3748	3148	spoolsv.exe	92
PID 3148 wrote to memory of 3748	3148	spoolsv.exe	92
PID 3748 wrote to memory of 1456	3748	svchost.exe	94
PID 3748 wrote to memory of 1456	3748	svchost.exe	94
PID 3748 wrote to memory of 1456	3748	svchost.exe	94

C:\Users\Admin\AppData\Local\Temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
"C:\Users\Admin\AppData\Local\Temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3248
- \??\c:\users\admin\appdata\local\temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe
  "c:\users\admin\appdata\local\temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe "
  2⤵
  - Executes dropped EXE
  PID:1476
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4220
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:220
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3148
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3748
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1456

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe

Filesize
16.9MB

MD5
97a4f9a601e31cf94530d51490adee9d

SHA1
ebf4c3d9d9b5e8a6fd3e83f83f993e38b9c45398

SHA256
bbf022c77e71eed3d768fafc8c0419c261b406e943ca4d4f21737612235af02e

SHA512
4deb16612389d5eafaa79a354efeba9c2e03488db93c5fda272f6a19fbf3eb298d34e6e92b1500c331dccae00e48f61fbd18b566666aa28c363b3dfa75edbf83

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
e23d0c7bef8def8dd1e429e9cb27d99d

SHA1
e5c03341f8fe85cadedeca301e7d9d3896c85124

SHA256
1b5823ef3175deb1c3ff87f116d77f43d343e70da291a95d8956c2dcda11c043

SHA512
16ef107e1ff008f106979cf5f1e869ee668d9d0febf284b4e188940abbaed9ac62b85fa9be210e0995684b0fa0ba36be3dd2a007db60d1aa468d4dff451d2047

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
2f27ad93a31a7c4b2bfba5c205776d1a

SHA1
59b4fdfb6ce465fd563df538bcd9939b610cdc75

SHA256
47c002661e6979ea1104156bbe15f6c9bbda39f5b24119d8403e26140c7ab323

SHA512
c005f837ef8ebcff14f67d1e6f68f7d7ed60e46684b7466b53009c0ebd671ca4a65037d7f82c37bb65b4c562222a60915c365533da71ceb418bf860eefe902f6

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
2f27ad93a31a7c4b2bfba5c205776d1a

SHA1
59b4fdfb6ce465fd563df538bcd9939b610cdc75

SHA256
47c002661e6979ea1104156bbe15f6c9bbda39f5b24119d8403e26140c7ab323

SHA512
c005f837ef8ebcff14f67d1e6f68f7d7ed60e46684b7466b53009c0ebd671ca4a65037d7f82c37bb65b4c562222a60915c365533da71ceb418bf860eefe902f6

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
0bda4132dec4dc47ad7d150ef58c2875

SHA1
a067c84cae277792a24f337944470a2140b0ae6f

SHA256
d7e67c971e8be7b9463855bf3dff309f6fdada41ac4f159f87e7f09d0c60eef8

SHA512
be07d824b51da58c7d41c1a677af3c98d995985a5932fafa72f330d3ebeb72d65ae8946337ce1febd9102713ef110750c7b7de993d9a2f4997a4d29eec34ed0d

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
0bda4132dec4dc47ad7d150ef58c2875

SHA1
a067c84cae277792a24f337944470a2140b0ae6f

SHA256
d7e67c971e8be7b9463855bf3dff309f6fdada41ac4f159f87e7f09d0c60eef8

SHA512
be07d824b51da58c7d41c1a677af3c98d995985a5932fafa72f330d3ebeb72d65ae8946337ce1febd9102713ef110750c7b7de993d9a2f4997a4d29eec34ed0d

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
6742fd33445560991b101a08c96caa1a

SHA1
086d9e6ce11c8830a9d4cbde546917e123b67069

SHA256
c34f49ab55a5ef4d1fb0c43e6a8e1e156ec89cdc72f4524a5c8511ea21d7e796

SHA512
dd9ff3077fae4b8bf1f7fe7c885b8e2fead6afc2152b97079f608d58c7ae50c0424e963b55f02add85ab3e142e4b585585ff8f856fd28071d7d34186cd31c7ba

Download Submit
\??\c:\users\admin\appdata\local\temp\02352543d5b466190b347d164fc1af162182597f9f0f0527973530837875b209 (1).exe

Filesize
16.9MB

MD5
97a4f9a601e31cf94530d51490adee9d

SHA1
ebf4c3d9d9b5e8a6fd3e83f83f993e38b9c45398

SHA256
bbf022c77e71eed3d768fafc8c0419c261b406e943ca4d4f21737612235af02e

SHA512
4deb16612389d5eafaa79a354efeba9c2e03488db93c5fda272f6a19fbf3eb298d34e6e92b1500c331dccae00e48f61fbd18b566666aa28c363b3dfa75edbf83

Download Submit
\??\c:\windows\resources\spoolsv.exe

Filesize
135KB

MD5
0bda4132dec4dc47ad7d150ef58c2875

SHA1
a067c84cae277792a24f337944470a2140b0ae6f

SHA256
d7e67c971e8be7b9463855bf3dff309f6fdada41ac4f159f87e7f09d0c60eef8

SHA512
be07d824b51da58c7d41c1a677af3c98d995985a5932fafa72f330d3ebeb72d65ae8946337ce1febd9102713ef110750c7b7de993d9a2f4997a4d29eec34ed0d

Download Submit
\??\c:\windows\resources\svchost.exe

Filesize
135KB

MD5
6742fd33445560991b101a08c96caa1a

SHA1
086d9e6ce11c8830a9d4cbde546917e123b67069

SHA256
c34f49ab55a5ef4d1fb0c43e6a8e1e156ec89cdc72f4524a5c8511ea21d7e796

SHA512
dd9ff3077fae4b8bf1f7fe7c885b8e2fead6afc2152b97079f608d58c7ae50c0424e963b55f02add85ab3e142e4b585585ff8f856fd28071d7d34186cd31c7ba

Download Submit
\??\c:\windows\resources\themes\explorer.exe

Filesize
135KB

MD5
e23d0c7bef8def8dd1e429e9cb27d99d

SHA1
e5c03341f8fe85cadedeca301e7d9d3896c85124

SHA256
1b5823ef3175deb1c3ff87f116d77f43d343e70da291a95d8956c2dcda11c043

SHA512
16ef107e1ff008f106979cf5f1e869ee668d9d0febf284b4e188940abbaed9ac62b85fa9be210e0995684b0fa0ba36be3dd2a007db60d1aa468d4dff451d2047

Download Submit
memory/220-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/220-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3248-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3248-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3748-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4220-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4220-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download