Overview

overview

10

Static

static

10

8ffd741c68...06.exe

windows7-x64

10

8ffd741c68...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    170s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-10-2022 23:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe

  • Size

    26KB

  • MD5

    40b8cca2ae2c6066bfbef8ce0803c8c0

  • SHA1

    7375081504060e4c044ad664b3581370f335a2d3

  • SHA256

    8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506

  • SHA512

    7c02081c747e9ebdbc12dad69e74fee87ec3cac685ed5f2b5ce642eca6fa51a926dbfb587d7c316d1cf8da2883f3382a3b41f331c33fd8839a33d005b18d252f

  • SSDEEP

    384:rfNhPbj62Tj9xec1JmLfBY5vX0kdaqj0eohDTkVOhvF27z/FUxiWtBlwmRz:rbm2Tbar+f0UaqC9yoYf

Score
10/10
jokerinfostealertrojanupx

Malware Config

Extracted

Family

joker

C2

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe
    "C:\Users\Admin\AppData\Local\Temp\8ffd741c68f8c90e56893e5e7971b410f03eadb85e556bd3b64cab5bc648f506.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
      "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:4484

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.8MB

    MD5

    1f1c87b2b8528523907cc58c00923df8

    SHA1

    ea0f7ad5e2d0bc48e52ea9e00c56dc14ea026514

    SHA256

    37e29c28eb4a4753f6926c2f7dfd169a09e184264f537c64893637716237733a

    SHA512

    2a8d2107eb8d479d8378c780389278e2d20653954d93dea72700b9bb9c21bc7ecf826243c1aadf8a6bc2705cc9d0055a01cf24c32a8ba38cca87ca51abd66fbc

    Download Submit

  • memory/520-132-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4484-136-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4484-137-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download