Overview

overview

10

Static

static

8

9f27ec50c9...4c.exe

windows7-x64

10

9f27ec50c9...4c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    160s
  • max time network
    217s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2022 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe

  • Size

    3.1MB

  • MD5

    183bf634bdb36bceb661422de360d97f

  • SHA1

    8c05614d2e439326c510a53e914dc1a74f88d784

  • SHA256

    9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c

  • SHA512

    1c339f002db014c45892cf4fb8caea281d82d0239ebe8821c63595e34914c3b7fef1ba997c6908eb9aedb548ecf48d1837248c1515a7704c69fd61e541504c8e

  • SSDEEP

    98304:iSBQIZcKt0VRxE3zMSsEcRPRbDjjpF1MFowrK7j:3B3+3Ss/dvjpF2owij

Score
10/10
jokerinfostealertrojanupx

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 2 IoCs
  • UPX packed file 30 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe
    "C:\Users\Admin\AppData\Local\Temp\9f27ec50c9c15dace103709724c8de825c57a665765e459bb445a7bdd3b03f4c.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Modifies Internet Explorer settings
    • Modifies Internet Explorer start page
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4112
    • C:\Program Files (x86)\Intern~1\iexplore.exe
      "C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.baiasp.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1600
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.baiasp.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4348
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4348 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2540
    • C:\Program Files (x86)\Intern~1\iexplore.exe
      "C:\Program Files (x86)\Intern~1\iexplore.exe" http://www.34wg.com
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\Program Files\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://www.34wg.com
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:852
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:852 CREDAT:17410 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1200
    • C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe
      "C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4996
      • C:\Windows\empty.exe
        C:\Windows\empty.exe 4996
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:912

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe
    Filesize

    2.7MB

    MD5

    42095e7e99e37459044a7917768e85c3

    SHA1

    4634983451f51215fe21e783545671fede8973c8

    SHA256

    2c1688cff603e444e62d46feb9e574fa69c030baf363d56a1e0158d950011fdb

    SHA512

    a4ed61cfdd9033011f672791ccd5322e2f7025e659c4572a664a2e196ea34f220890b6a10b3f6da37d597a3b8e432f374621b8478b72bbdce1373f9e7341d9a8

    Download Submit

  • C:\Program Files (x86)\洛克東哥辅助7.7_正式版.exe
    Filesize

    2.7MB

    MD5

    42095e7e99e37459044a7917768e85c3

    SHA1

    4634983451f51215fe21e783545671fede8973c8

    SHA256

    2c1688cff603e444e62d46feb9e574fa69c030baf363d56a1e0158d950011fdb

    SHA512

    a4ed61cfdd9033011f672791ccd5322e2f7025e659c4572a664a2e196ea34f220890b6a10b3f6da37d597a3b8e432f374621b8478b72bbdce1373f9e7341d9a8

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    471B

    MD5

    7de3527d962389a61a0825bebf9031b7

    SHA1

    ffc04b363ec1d3976e454446827d36813002a9b7

    SHA256

    63db191be3bdce3f969a6f457edaa2bf5c9ec863a311540d719ad80ca9ce4a19

    SHA512

    57220b86487cefb01b4c2b9b904a147ea35133f490d5da092dbf10e1568c14a2f1359ed36529edc779335a9f4530c25a67d2065620379eec0e682b03389ae91d

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
    Filesize

    404B

    MD5

    4884c278cfbd6ff332e1f159ea92f33c

    SHA1

    4b94671b2a37091ad85977489ebd9a23f06e63df

    SHA256

    d2c342c0db90d9d9bdd94d1f06fefc3b9246f65b7c85c9244a6dbb9e761d9040

    SHA512

    163dda8ca21cffa9c3d5413d112845c593006c23c8b78f93bd7d2367f616fcba059f61786c1419b1062f1dfd2bbbb918313df7b1ea8737a900e4e3726ea29a31

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7A3EDD2-49C7-11ED-89AC-5A10AEE59B4B}.dat
    Filesize

    5KB

    MD5

    eef80f7e2c39b02ae4f975959d69a4a0

    SHA1

    9af558d0c65ea6f0441090966c4f8855189942fd

    SHA256

    e92c7a556ae2e89b6bcde5899a2d6c217e519ede238e5a6eddfc75f469c55b24

    SHA512

    b1886c4bd07079884ad25f112b113ab60bc7a4d9ce9e5d174fc0f11590a6c5ccb2fbad731d40c141fec409e1f23688c95844ec2f1e2dbc38460f3b1638cd34f4

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{E7A414E2-49C7-11ED-89AC-5A10AEE59B4B}.dat
    Filesize

    3KB

    MD5

    6314457f6303b50858408c3a248b42e2

    SHA1

    b0a4c645dd8c16fc1fda88f5e64d97b0f4ad5def

    SHA256

    6bfefb3524a3a6f51747a7d65f204467e87dada7934942361e1da809be142344

    SHA512

    feb4b0cc1119f16530c2808cfd81f8ecbb710a761d41d652c32d13775313f1ad8fd9865d02b84ec60bee9f6a0447c19dfac9a8aa6a9ee9e9bef32be835fe85cd

    Download Submit

  • C:\Windows\empty.exe
    Filesize

    9KB

    MD5

    523d5c39f9d8d2375c3df68251fa2249

    SHA1

    d4ed365c44bec9246fc1a65a32a7791792647a10

    SHA256

    20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

    SHA512

    526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

    Download Submit

  • C:\Windows\empty.exe
    Filesize

    9KB

    MD5

    523d5c39f9d8d2375c3df68251fa2249

    SHA1

    d4ed365c44bec9246fc1a65a32a7791792647a10

    SHA256

    20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78

    SHA512

    526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

    Download Submit

  • memory/4112-132-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/4112-188-0x0000000000400000-0x00000000004B5000-memory.dmp

    Filesize

    724KB

    Download

  • memory/4996-163-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-175-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-153-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-157-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-155-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-159-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-161-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-151-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-165-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-167-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-169-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-171-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-173-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-149-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-177-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-179-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-181-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-182-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-147-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-145-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-143-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-141-0x0000000000400000-0x0000000000C6C000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/4996-140-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-138-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/4996-189-0x0000000000400000-0x0000000000C6C000-memory.dmp

    Filesize

    8.4MB

    Download

  • memory/4996-139-0x0000000010000000-0x000000001003E000-memory.dmp

    Filesize

    248KB

    Download