joker | bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63

General

Target

bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
Size

31KB
MD5

6f855b0dcaf12e609058030cedf4c030
SHA1

58a5630e99669bc1b35e55dcb7ed5d104f60b905
SHA256

bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63
SHA512

be69cee35355589582665a96a941d77ea00f35bacd2e982c35cf4d7a48b418fb1319c81a3bad341834fdb5b54280d0ee5938cba2bd4c251eee80b27fb1c70dfc
SSDEEP

768:rg8q0xXJrLL/tvdUkTRQ75c0RJG7JxsLoIvCYR/9m:r7Z5HL1CkdQFc0RJpJL

Score

10^/10

joker bootkit infostealer persistence trojan

Malware Config

Extracted

Family

joker

C2

http://tttie.oss-cn-shenzhen.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1564	kinst_1_335.exe

Deletes itself 1 IoCs

pid	Process
1928	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
1564	kinst_1_335.exe
1564	kinst_1_335.exe
1564	kinst_1_335.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	kinst_1_335.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\open.ini	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1328	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	kinst_1_335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\guid = "E6F886451532462698A842076AF9DCA9"	kinst_1_335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "D435E199F3DC26EFD2C33067DD2A678E"	kinst_1_335.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1328	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1564	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	30
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1972 wrote to memory of 1928	1972	bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe	31
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33
PID 1928 wrote to memory of 1328	1928	cmd.exe	33

C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
"C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:1564
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bdada64813dbe03408c4826a9b90a5f07beca58e1036df5a1aaf179bbecb1a63.exe.bat

Filesize
330B

MD5
a1ad8aaf5b3424949370911b1a684a5b

SHA1
d3465e4ba29682a37e9a910fc1a71acc1bc31615

SHA256
6bc8795bdd45eaf1de03545ebb9caea21fd3635d7f64d219fc1a965000f1d10a

SHA512
64bd4bedcb684f610d4af0a634fff0b54f3e2d9f982015d3a8be13f4816456af2aefbf6a59c066c739e112e3685e2a59ce1e2bd313a52796fcfd16d4a4bdb539

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
memory/1972-54-0x00000000751A1000-0x00000000751A3000-memory.dmp

Filesize
8KB

Download
memory/1972-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1972-67-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1972-56-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/1972-57-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing