Overview

overview

10

Static

static

10

58ba983b7c...c7.exe

windows7-x64

10

58ba983b7c...c7.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    183s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    11-10-2022 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe

  • Size

    26KB

  • MD5

    06666bc830652befea0a673bc9cd2f90

  • SHA1

    de5d967737d27c35e889bf65e761ee367b2117bc

  • SHA256

    58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7

  • SHA512

    db8de8d00907614b1867283307460933ee8a97e5ba06260871d113047a4fbd1af4fcb69c80890052b35e49fef032f1c81ecca05e155c0b85d4152e640022949e

  • SSDEEP

    384:roNhPbj62Tj9xec1JmLfBY5vX0kdaXj0eohDTkVOhvF27z/FUxiWtBlwmRz:rEm2Tbar+f0UaXC9yoYf

Score
10/10
jokerinfostealertrojanupx

Malware Config

Extracted

Family

joker

C2

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Downloads MZ/PE file
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Deletes itself 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Kills process with taskkill 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe
    "C:\Users\Admin\AppData\Local\Temp\58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1732
    • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
      "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of AdjustPrivilegeToken
      PID:1688
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c C:\Users\Admin\AppData\Local\Temp\58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe.bat
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:1200
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM 58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:788

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\58ba983b7c6ec9c85969ded4f23041f5a33a809f89d0866350e4575a14ee79c7.exe.bat
    Filesize

    330B

    MD5

    51261393dd27fd67ecd9e13b032bb04e

    SHA1

    6646a78df3deba252ab0c3163d4c8a962fd902a3

    SHA256

    561a4021642130a7f99df6358b17cfc01bc1524613b9c4d77105fcc8ca36bc7e

    SHA512

    78cbf76c870da93d79c190e425ee6387dcbe28e63e3414ea3187247bb6f6ad71990d2123471972095c7dd4df7950d3f56df74ea7498e8c7011babce39c15871b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    14.2MB

    MD5

    56f8e2021f1119f731c6175ecbcfbd0a

    SHA1

    bc3bfa6fc5accdb5ce4012cbea0ae1152230705d

    SHA256

    c683d979ca3c301c8cf637d425e70ad915418099d0744ae9da203f053ea1345d

    SHA512

    bd288e977da0ce65c9b72ef08c8ca35726e619da5ef2ab1152bb08571ee3695dc9c71de72ba669c4e1ac4f32aafce2cfcbaacc355435476f417e93c155098e5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    10.6MB

    MD5

    a0b50da4dbd627b524c5c71820079530

    SHA1

    e764e7c7e60cb253093a88f456e92f9c8db5d693

    SHA256

    e725212156000cbdfff844bdd5013258a6bf4ffa9c2eef5f48b4c22c241657ed

    SHA512

    fc02df215afa88eb20306547f88ca66ecf97f3b2df9f1ff34ade1a6e7a50a5c1c85ce06f4d14de5ff128ae359b1fa9b9dfba3dc3a576ffe42305905519342515

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    16.1MB

    MD5

    b52cff23a31206e9699cf8053e8d9127

    SHA1

    8dc2fd8afa281fb37bda8ab53dc92d7e360146aa

    SHA256

    6287ed227d97696f1dc19a2097e73f9f783645c7353bdc0b14a1522071bdb023

    SHA512

    c24fe6d892d9ae50506a05198d5cddeb8f3e31b7e707771c18cfea1244dd9ef518eac803707d4154f68a344123f741dd89688704436434268437bd92e4e84987

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    12.6MB

    MD5

    319e2a5997090113e6e232d9aba3f133

    SHA1

    dcf19b6d137f3964af9f1a50064ec37d709a98fc

    SHA256

    ee597f957e9e3bb34ff7b942479cd114b9f46da8cdec761ec9033620417efaf9

    SHA512

    2d692aae9571af3e10b47ffa7981a0104d53c57bc89d7db57b898cd0875f270cf5cef5288d40f02affd7d7a12b6fa1cf2b7ee98800effe4a1bdafa9c7f1cb7c8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
    Filesize

    10.9MB

    MD5

    ab6979a6f57fce84c01b7f5df241c666

    SHA1

    0b34260c00104deecc2bb04392d96796621576c8

    SHA256

    a4984f08b2a91516383e3b1c61a36ca83f1797b4416b907939ee026d19c290d7

    SHA512

    d5bf1a7679dceb3ff7a77bd3c074658a4a6800aae103ac71047345edcff76f934f603c5b19b36cf40c2fb2b30b079749f1e0c2d737d7ff096f62f9ff75d074cd

    Download Submit

  • memory/1688-67-0x0000000000400000-0x000000000051E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1688-73-0x0000000000520000-0x000000000063E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1688-74-0x0000000000520000-0x000000000063E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1732-62-0x0000000003120000-0x000000000323E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1732-56-0x0000000000230000-0x0000000000244000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1732-68-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1732-54-0x0000000075771000-0x0000000075773000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1732-57-0x0000000000230000-0x0000000000244000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1732-55-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download