Analysis
-
max time kernel
125s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
24/09/2022, 09:25 UTC
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20220812-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20220901-en
3 signatures
150 seconds
General
-
Target
tmp.exe
-
Size
284KB
-
MD5
0eda8d3edb0defad4b33d7e9dae5809e
-
SHA1
fe8fa55fbdccc5039ad8afe8e7538af247e6ae47
-
SHA256
ae40d97e1a8a2b3c19ae35cd2d76b2664ceccf564c337eddbc868dec6e3fd681
-
SHA512
f39e9fd2e147ccf82e021c2e7f922c5b5df54289d057382c39194e6d2deb1775379ea4c07befa1a222bb9d3833f16e4480fb7b10f20edd2de23f6b74457d4c21
-
SSDEEP
6144:MJ9X9cMrR7jfEsoAs3QX5aklL9y/iJ2Kjvfg5N7vgLoS:SNt7jxX5aGaSBjvfQFvaoS
Score
10/10
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
resource yara_rule behavioral1/memory/360-54-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/360-55-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 360 tmp.exe 360 tmp.exe
Processes
Network
-
Remote address:206.233.135.147:8001RequestPOST /index/down/index HTTP/1.1
Host: 206.233.135.147:8001
User-Agent: curl/7.75.0
Accept: */*
Accept-Encoding: identity
Content-Length: 8
Content-Type: application/x-www-form-urlencoded
ResponseHTTP/1.1 200 OK
Date: Sat, 24 Sep 2022 09:25:19 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=49bcb42e5f4712769dc27b4c18bffd6c; path=/
-
Remote address:8.8.8.8:53Requestcpcicloudcn.oss-cn-hangzhou.aliyuncs.comIN AResponsecpcicloudcn.oss-cn-hangzhou.aliyuncs.comIN A47.110.23.115
-
Remote address:47.110.23.115:80RequestGET /10.dll HTTP/1.1
Host: cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
User-Agent: curl/7.75.0
Accept: */*
ResponseHTTP/1.1 404 Not Found
Date: Sat, 24 Sep 2022 09:25:24 GMT
Content-Type: application/xml
Content-Length: 291
Connection: keep-alive
x-oss-request-id: 632ECD041AFF6534397A0B3B
-
Remote address:8.8.8.8:53Requestwgggg.oss-cn-hangzhou.aliyuncs.comIN AResponsewgggg.oss-cn-hangzhou.aliyuncs.comIN A47.110.177.69
-
Remote address:47.110.177.69:80RequestGET /91y.exe HTTP/1.1
Host: wgggg.oss-cn-hangzhou.aliyuncs.com
User-Agent: curl/7.75.0
Accept: */*
ResponseHTTP/1.1 404 Not Found
Date: Sat, 24 Sep 2022 09:25:25 GMT
Content-Type: application/xml
Content-Length: 279
Connection: keep-alive
x-oss-request-id: 632ECD057CF84235342E18A5
-
Remote address:206.233.135.147:8001RequestPOST /index/index/index HTTP/1.1
Host: 206.233.135.147:8001
User-Agent: curl/7.75.0
Accept: */*
Accept-Encoding: identity
Content-Length: 30
Content-Type: application/x-www-form-urlencoded
ResponseHTTP/1.1 200 OK
Date: Sat, 24 Sep 2022 09:25:23 GMT
Content-Type: application/json; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: PHPSESSID=2df0d85578e509e04f93ef9b528e63bf; path=/
-
486 B 1.1kB 6 5
HTTP Request
POST http://206.233.135.147:8001/index/down/indexHTTP Response
200 -
340 B 665 B 5 4
HTTP Request
GET http://cpcicloudcn.oss-cn-hangzhou.aliyuncs.com/10.dllHTTP Response
404 -
-
-
-
-
-
335 B 653 B 5 4
HTTP Request
GET http://wgggg.oss-cn-hangzhou.aliyuncs.com/91y.exeHTTP Response
404 -
458 B 442 B 5 4
HTTP Request
POST http://206.233.135.147:8001/index/index/indexHTTP Response
200 -
-
86 B 102 B 1 1
DNS Request
cpcicloudcn.oss-cn-hangzhou.aliyuncs.com
DNS Response
47.110.23.115
-
80 B 96 B 1 1
DNS Request
wgggg.oss-cn-hangzhou.aliyuncs.com
DNS Response
47.110.177.69