joker | 08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c

Analysis

max time kernel
144s
max time network
152s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
Size

15KB
MD5

19d2e1bb3801e91b598a1718c2e36050
SHA1

ae7c2a12c83f444cb057de774b6c0f335bb0589f
SHA256

08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c
SHA512

112c6ad65551d7b08a06c021a0bada5c258c9abdb0ea4f821ce42d5f73b69da7d99578465abe635e93d337a44898a3ac88794ccbe39b00fbf1553cad483ba64c
SSDEEP

192:3VO8RFi9weZvt+Co7oo7TuJJ7cqiPAUbyMrj6crr0u+vscr9ZCspE+TMArm7c7VN:31cp8CzkuvNLMC0jeMNY7rn

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Drops file in System32 directory 6 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\wbem\360ls.exe	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
File created	\??\c:\windows\SysWOW64\wbem\wc.dat	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
File created	\??\c:\windows\SysWOW64\wbem\126.exe	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
File created	\??\c:\windows\SysWOW64\wbem\GameClient.dll	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
File created	\??\c:\windows\SysWOW64\wbem\MFC71LOC.dll	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
File created	\??\c:\windows\SysWOW64\wbem\gpkitclt.dll	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 58 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ad2222.com\ = "63"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000000a0f987af960a64c13139466dbfccb3f4e8fef89bf6ee915a94a2a7dea5fd55e000000000e8000000002000020000000364f9f3926b47675fe81740aef925ce3b53224a1a236d22cbf4ca620f4db93be200000002226d64eacd5aac594df01f680d76f5a185d2e806aa224e9113101f61a6c1b2c400000006803b0531c2133b19d7938b6921c07abfca42bbb3474d2b5baad257b1a7cc29318f8740b8db47e2d6ef0674c7fa1ac174e07b2d0e0f97039d3235d61dcf51be8	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad2222.com	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jxys49.site\ = "63"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jxys49.site\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Factor = "20"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jxys49.site\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "189"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000048ca5449a4d21846ba8a995ea0abd35a000000000200000000001066000000010000200000004b51e31b03fc69759ce7e8b2af6249abde1346d58864485e0703f53dd1455eec000000000e8000000002000020000000fcd6a595bfe7f07536b24b27ff61eee54267953996ce1679af052aeb817e440890000000f3e62a179a9ddd0d81c951cb92cb553acae40ae5ebbee4d684e4ca88e003ff05ee22347789fd13529e9f3316af8c7ce4d89ba2bda0848770c1c446fa96bddcb8f23bcc1a7aca97150fb6634099679e670583806259063d7432966abe2eeffaf77baa17f39dfde7196e70ea44d27c5476eb90d08c1458bed56d9d16af04c499e21e8b1d7663b63cb3dab8908fc6449608400000009542ab62cf7dfb33f5baf6e80b509bd7dddc3c411cba83937ed840ecfb9f57471a875c2183a0132cad0e2bc6fb83762c05e56504ca588ffb1ce36290e682e849	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad2222.com\NumberOfSubdomains = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ad2222.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372300073"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ad2222.com\ = "126"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e009cb05d3ddd801	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad2222.com\Total = "126"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\jxys49.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\ad2222.com\Total = "63"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.jxys49.site	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{2A106841-49C6-11ED-8DFC-667719A561AF} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Size = "10"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1692	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1692	iexplore.exe
1692	iexplore.exe
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE
864	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1692	1752	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe	27
PID 1752 wrote to memory of 1692	1752	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe	27
PID 1752 wrote to memory of 1692	1752	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe	27
PID 1752 wrote to memory of 1692	1752	08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe	27
PID 1692 wrote to memory of 864	1692	iexplore.exe	29
PID 1692 wrote to memory of 864	1692	iexplore.exe	29
PID 1692 wrote to memory of 864	1692	iexplore.exe	29
PID 1692 wrote to memory of 864	1692	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe
"C:\Users\Admin\AppData\Local\Temp\08fd8f4e1db0aa12599e0d49c194934f576ea788e8e2f1ea430d0cbddb0d449c.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.ad2222.com/download2.htm
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1692
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1692 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:864

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7de5afa9ac7ed179302ac170156afc21

SHA1
fd99418e51a282ee77f13c5af995b7509f6e0e94

SHA256
5fb5d19db61f50db61fbec336301551fb383bd36b0050c1305266d5ca597f6e7

SHA512
8c2d1944ef03981c60526aa271013cb638d6dce7772450f017570a926ad8771df7e237f4e1aa35b7d08c2c65e808160cdee697b9a705caa887e053594e35a52e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\309axvf\imagestore.dat

Filesize
5KB

MD5
9de8b5feaed7549d2f8ae864df4c33f6

SHA1
8f12b9565bcf196c23a514aa8159217f0976fdd3

SHA256
82291d30685ab229624bf397199b8447a60a3680e3e1221f8eda4538f188414a

SHA512
89d69aafec56362be4a9945ecd36240cd629b7aba73e5fd335476b62515367abdf8be2fe71ac14e4cfb107e7148544ac0b693b14a6dcf16e3aa8b7d755deb292

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\NLT3DWD1.txt

Filesize
603B

MD5
e382201cda400a7a116d911fdef44275

SHA1
514bbdda82b9bb0ca2c706f05587e68560815a2a

SHA256
51244f6255d3347543bad06e086efad26806d1ec52c812505f9b3e67ae8c1c5e

SHA512
e75b887844a4c50481a23a2dca044a78bcabad458e3338731d0f710723fbaa09ea72fbcae09e105883835358adcda1ac35c41143bd33239a8bdd60b2d61b3739

Download Submit
memory/1752-54-0x0000000075111000-0x0000000075113000-memory.dmp

Filesize
8KB

Download