joker | 790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28

General

Target

790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Size

2.1MB
MD5

f0a0fc62fc5faadfcef4ee6097a856f2
SHA1

9b590912a93b82c520337791118476c403f8ce38
SHA256

790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28
SHA512

bb750bc9fc526245e91d900bd67454ed5905cde51c5df9b70d89e88547ed3b4a022b705cafc0e7271f587fda057d885516b5e124345768491c84619c54e05947
SSDEEP

49152:EEsJnEevhTHZOyVg1qKC33S7Htj6xh0Xh+X8O:EEwnESZMs3wtj6xh0Xh28O

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2dama.com\ = "63"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2dama.com\NumberOfSubdomains = "1"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2dama.com	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.2dama.com	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2dama.com\Total = "63"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\2dama.com\Total = "126"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\IESettingSync	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\DOMStorage\2dama.com	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.2dama.com\ = "126"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.GHSProtocol	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.GHSProtocol\ = "Embedded Async Pluggable Protocol"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.GHSProtocol\Clsid\ = "{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}\ProgID	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}\ = "Embedded Async Pluggable Protocol"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}\LocalServer32	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.GHSProtocol\Clsid	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCAA32E7-B054-4E44-8EFE-C24329CB7D9F}\ProgID\ = "790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.GHSProtocol"	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2388	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
2388	790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe

C:\Users\Admin\AppData\Local\Temp\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe
"C:\Users\Admin\AppData\Local\Temp\790f43744bef940f38967d8156aae084d9d6abcee183aac1a47c69e645b22d28.exe"
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2388

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads