Analysis
-
max time kernel
100s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03-10-2022 21:41
Static task
static1
Behavioral task
behavioral1
Sample
19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe
Resource
win7-20220812-en
windows7-x64
7 signatures
150 seconds
Behavioral task
behavioral2
Sample
19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe
Resource
win10v2004-20220901-en
windows10-2004-x64
7 signatures
150 seconds
General
-
Target
19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe
-
Size
234KB
-
MD5
de64daa4bbc8b6178e6389893d6de8f2
-
SHA1
422467f497fd81226d7cf2849cf78c4d6d16e528
-
SHA256
19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090
-
SHA512
c1e5aae2b49653d79c49e3fbf769145fc89ddb4d1f6fce136aa8f9c191d693ba65968222c85186a8b0a859da0924590dfe444f261808ff02def673c592fa0fd1
-
SSDEEP
6144:LVLxh5MCavp86MyOIqfV1fRbFnmnaEcI8tKoSLr:L535MCavpB+j9dBcnaEqAoSLr
Score
10/10
Malware Config
Extracted
Family
joker
C2
https://lssfot.oss-cn-hangzhou.aliyuncs.com
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Downloads MZ/PE file
-
resource yara_rule behavioral2/memory/4756-135-0x0000000006EA0000-0x0000000006EB8000-memory.dmp upx behavioral2/memory/4756-136-0x0000000006EA0000-0x0000000006EB8000-memory.dmp upx -
Loads dropped DLL 1 IoCs
pid Process 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe -
Unexpected DNS network traffic destination 9 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 Destination IP 114.114.114.114 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\physicaldrive0 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe 4756 19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe"C:\Users\Admin\AppData\Local\Temp\19cd2c2e12987623dc1eb4e5d0e439994eb74c6871a07b08638ba7ba6208b090.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetWindowsHookEx
PID:4756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.5MB
MD5e2bde607d757a367ae42ef472f065420
SHA175990c44bd385b6091b6b10457c279734415485f
SHA2564b5a111e13134d5e5be20575665c943d494aaf765beacb12c66913dd2175edac
SHA5123b2b0384a7268e9775fb6ce745bfb5b7093978e6d50a19a5474f6eb3cfdcff086ad37c6c369baf4ff100670557268adc9dab8f2fecdec9e91cd8c21ce2d9f477