Analysis
-
max time kernel
167s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
03-10-2022 11:07
General
-
Target
97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe
-
Size
54KB
-
MD5
0a3815fa462d80e8520ba9c617bbd285
-
SHA1
4b6832eaa7e7c55877188b04efafc88bc1922279
-
SHA256
97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2
-
SHA512
f4dd2e7024504b8475557fdd313b4c2815f9c0f1dfd21308ed1314b8267d7f261eca589692cdb69405d110ff4838dc565b584cc9883ea58f5aee78ca5853f8e0
-
SSDEEP
768:sVKm4GV4ujtuYgFC5IjezJckOyLb172+oEFZ0TORX3iSHWIwjkdLv/kcH5hUDrpg:sQKV1MyVckOG12TGX1HxwjkVnDhI+HL
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 22 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 59 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe"C:\Users\Admin\AppData\Local\Temp\97ee6ce417a5aa0c0264056e7073407e97738b55645bfb03cf2e2ae34173a2c2.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_max_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\1.bat3⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f4⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f4⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\redload\3.bat""" /f4⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\redload\tmp4⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\2.inf4⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r5⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o6⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\redload\2.bat4⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821335⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4032 CREDAT:17410 /prefetch:26⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\redload\1.inf5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl4A35.tmpC:\Users\Admin\AppData\Local\Temp\inl4A35.tmp2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl4A35.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\97EE6C~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD51784315aac121731745b2843ea994ba3
SHA1c9d3d0d5458562ed4e305205979c0ffe09862cc7
SHA256936c6727dc6876d78338b1809e111de5ea0119ff8988c4ec0ece3b9b02f6b5fa
SHA512c88c73ac3297b923f755296e8802528182b4c26b41481fd1f008c49c33bc7fa645c6395700dbc5d5f405938ddc3922b2c4eda193725bca7cd843bdf18391b588
-
Filesize
791B
MD51706b41fd446b5718a8419c0fcb35d55
SHA1d9bb8df22acdc60c754ac14982cf795df3b1b815
SHA2565c6d11ac3f220f8286455764ab2581dcb6554692d3b9974b097364d77edb3943
SHA51268c9f6170ecdfcc79fc63cb646901d2ac52a915620b159047b2c93761c261897eb5ecc15065635105637a61a840d393104c15ea8268897fb8bb2fbc1a56c626e
-
Filesize
57.2MB
MD5886ffcb541b7481232038fe0a3b7a14a
SHA127c2db270d151199a2efc1f98cced28cff982413
SHA256f1fb1ab19b73f54f1324e6ca29ed14b1f6b7128805045fab305d7e6e785f8d91
SHA512c60ec45e3525c46c36d19ce6faba478bd329e15844ae2933104f6963a03d65e6dea6fa51e7d793623078fec95034b62628b44c2c7b28c347cd97eab74da93326
-
Filesize
57.2MB
MD5886ffcb541b7481232038fe0a3b7a14a
SHA127c2db270d151199a2efc1f98cced28cff982413
SHA256f1fb1ab19b73f54f1324e6ca29ed14b1f6b7128805045fab305d7e6e785f8d91
SHA512c60ec45e3525c46c36d19ce6faba478bd329e15844ae2933104f6963a03d65e6dea6fa51e7d793623078fec95034b62628b44c2c7b28c347cd97eab74da93326
-
Filesize
54B
MD5504490369970f1c0eb580afbcdf91618
SHA1b52f65cd538e6c998b2c7e3167f9c8e8fa6c7971
SHA256a13a0579286521f0d7cb55fc7d28c6d33f14c0573e9e69f7584fa4008a8e7d43
SHA5125495ce79abf0fc4ffbfaf9aefa484145f4e0d3e8457be0e2e4dfb1284fb5413016f2d9867e2386db5c4f7b51863bfffeae8ea6bd879053fdf6a928ab2a0857ad
-
Filesize
3KB
MD5493c22f6b15f9766ae7c23794fc77da0
SHA143723ba660dbc1486f717441b58298d33b9f2048
SHA256478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182
SHA512662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD55b958bc8141741054eba3a5327a8030b
SHA1df1ef3d7a8db900893ba7acadedc08fdc3952fe3
SHA25639dfb6fc2c4001ad32ae6c6852088e48da34f870c08e1bb664f6761bc0cbe410
SHA512ac5651425bbc0b8256aca3000a59d50961bb36eff8b7ed2657e6d311b7ac7ef9ead8c86b04cd957770a23de471f9eb4c178824c8d96620bcb5f69eb96fb92aa6
-
Filesize
248B
MD52197ffb407fb3b2250045c084f73b70a
SHA13d0efbacba73ac5e8d77f0d25d63fc424511bcf6
SHA256a1a42f5a41ce65135b1ad525eabc04cce89ee07d2f51d06e5e1dea6047081591
SHA512b35a99e144da3f02de71158f58a6b937435d1bce941126a554783c667654b880527b11ba8a5c0fcf093ce28863ea4f5e60f73f8f973a727f177d584d2e9c80fe
-
Filesize
5.8MB
MD51784315aac121731745b2843ea994ba3
SHA1c9d3d0d5458562ed4e305205979c0ffe09862cc7
SHA256936c6727dc6876d78338b1809e111de5ea0119ff8988c4ec0ece3b9b02f6b5fa
SHA512c88c73ac3297b923f755296e8802528182b4c26b41481fd1f008c49c33bc7fa645c6395700dbc5d5f405938ddc3922b2c4eda193725bca7cd843bdf18391b588
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB