Analysis

  • max time kernel
    125s
  • max time network
    45s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    24/09/2022, 09:25 UTC

General

  • Target

    tmp.exe

  • Size

    284KB

  • MD5

    0eda8d3edb0defad4b33d7e9dae5809e

  • SHA1

    fe8fa55fbdccc5039ad8afe8e7538af247e6ae47

  • SHA256

    ae40d97e1a8a2b3c19ae35cd2d76b2664ceccf564c337eddbc868dec6e3fd681

  • SHA512

    f39e9fd2e147ccf82e021c2e7f922c5b5df54289d057382c39194e6d2deb1775379ea4c07befa1a222bb9d3833f16e4480fb7b10f20edd2de23f6b74457d4c21

  • SSDEEP

    6144:MJ9X9cMrR7jfEsoAs3QX5aklL9y/iJ2Kjvfg5N7vgLoS:SNt7jxX5aGaSBjvfQFvaoS

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    PID:360

Network

  • flag-hk
    POST
    http://206.233.135.147:8001/index/down/index
    tmp.exe
    Remote address:
    206.233.135.147:8001
    Request
    POST /index/down/index HTTP/1.1
    Host: 206.233.135.147:8001
    User-Agent: curl/7.75.0
    Accept: */*
    Accept-Encoding: identity
    Content-Length: 8
    Content-Type: application/x-www-form-urlencoded
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 24 Sep 2022 09:25:19 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=49bcb42e5f4712769dc27b4c18bffd6c; path=/
  • flag-us
    DNS
    cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
    tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
    IN A
    Response
    cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
    IN A
    47.110.23.115
  • flag-cn
    GET
    http://cpcicloudcn.oss-cn-hangzhou.aliyuncs.com/10.dll
    tmp.exe
    Remote address:
    47.110.23.115:80
    Request
    GET /10.dll HTTP/1.1
    Host: cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
    User-Agent: curl/7.75.0
    Accept: */*
    Response
    HTTP/1.1 404 Not Found
    Server: AliyunOSS
    Date: Sat, 24 Sep 2022 09:25:24 GMT
    Content-Type: application/xml
    Content-Length: 291
    Connection: keep-alive
    x-oss-request-id: 632ECD041AFF6534397A0B3B
  • flag-us
    DNS
    wgggg.oss-cn-hangzhou.aliyuncs.com
    tmp.exe
    Remote address:
    8.8.8.8:53
    Request
    wgggg.oss-cn-hangzhou.aliyuncs.com
    IN A
    Response
    wgggg.oss-cn-hangzhou.aliyuncs.com
    IN A
    47.110.177.69
  • flag-cn
    GET
    http://wgggg.oss-cn-hangzhou.aliyuncs.com/91y.exe
    tmp.exe
    Remote address:
    47.110.177.69:80
    Request
    GET /91y.exe HTTP/1.1
    Host: wgggg.oss-cn-hangzhou.aliyuncs.com
    User-Agent: curl/7.75.0
    Accept: */*
    Response
    HTTP/1.1 404 Not Found
    Server: AliyunOSS
    Date: Sat, 24 Sep 2022 09:25:25 GMT
    Content-Type: application/xml
    Content-Length: 279
    Connection: keep-alive
    x-oss-request-id: 632ECD057CF84235342E18A5
  • flag-hk
    POST
    http://206.233.135.147:8001/index/index/index
    tmp.exe
    Remote address:
    206.233.135.147:8001
    Request
    POST /index/index/index HTTP/1.1
    Host: 206.233.135.147:8001
    User-Agent: curl/7.75.0
    Accept: */*
    Accept-Encoding: identity
    Content-Length: 30
    Content-Type: application/x-www-form-urlencoded
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Date: Sat, 24 Sep 2022 09:25:23 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    Set-Cookie: PHPSESSID=2df0d85578e509e04f93ef9b528e63bf; path=/
  • 206.233.135.147:8001
    http://206.233.135.147:8001/index/down/index
    http
    tmp.exe
    486 B
    1.1kB
    6
    5

    HTTP Request

    POST http://206.233.135.147:8001/index/down/index

    HTTP Response

    200
  • 47.110.23.115:80
    http://cpcicloudcn.oss-cn-hangzhou.aliyuncs.com/10.dll
    http
    tmp.exe
    340 B
    665 B
    5
    4

    HTTP Request

    GET http://cpcicloudcn.oss-cn-hangzhou.aliyuncs.com/10.dll

    HTTP Response

    404
  • 127.0.0.1:49161
    tmp.exe
  • 127.0.0.1:49164
    tmp.exe
  • 127.0.0.1:49166
    tmp.exe
  • 127.0.0.1:49169
    tmp.exe
  • 127.0.0.1:49171
    tmp.exe
  • 47.110.177.69:80
    http://wgggg.oss-cn-hangzhou.aliyuncs.com/91y.exe
    http
    tmp.exe
    335 B
    653 B
    5
    4

    HTTP Request

    GET http://wgggg.oss-cn-hangzhou.aliyuncs.com/91y.exe

    HTTP Response

    404
  • 206.233.135.147:8001
    http://206.233.135.147:8001/index/index/index
    http
    tmp.exe
    458 B
    442 B
    5
    4

    HTTP Request

    POST http://206.233.135.147:8001/index/index/index

    HTTP Response

    200
  • 127.0.0.1:49175
    tmp.exe
  • 8.8.8.8:53
    cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
    dns
    tmp.exe
    86 B
    102 B
    1
    1

    DNS Request

    cpcicloudcn.oss-cn-hangzhou.aliyuncs.com

    DNS Response

    47.110.23.115

  • 8.8.8.8:53
    wgggg.oss-cn-hangzhou.aliyuncs.com
    dns
    tmp.exe
    80 B
    96 B
    1
    1

    DNS Request

    wgggg.oss-cn-hangzhou.aliyuncs.com

    DNS Response

    47.110.177.69

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/360-54-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

  • memory/360-55-0x0000000000400000-0x00000000004B8000-memory.dmp

    Filesize

    736KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.