joker | 18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616

General

Target

18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe
Size

784KB
MD5

797eb2f55a506669d9a94313b2985ec0
SHA1

eaa93a244f2b6f5469499d8098600812f3b38f44
SHA256

18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616
SHA512

d78b2c8afc7b2be02598482bf477e90d2b1ecdb9deee63711574182fd0453d75ea9bc87e0e6bf54a86dffe6536b15303be65d8b64063da5b6d75f925a4644b2a
SSDEEP

12288:+qJpM3leiND5pF6eDYevG0p47IrVT4r0/T4r05:+JDDDFRDYevG0pMIrVT4r0/T4r05

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26A2FA01-4A44-11ED-99B1-EA25B6F29539} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "372354184"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1032	iexplore.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe
1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe
1032	iexplore.exe
1032	iexplore.exe
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE
2008	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1688 wrote to memory of 1032	1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe	27
PID 1688 wrote to memory of 1032	1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe	27
PID 1688 wrote to memory of 1032	1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe	27
PID 1688 wrote to memory of 1032	1688	18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe	27
PID 1032 wrote to memory of 2008	1032	iexplore.exe	29
PID 1032 wrote to memory of 2008	1032	iexplore.exe	29
PID 1032 wrote to memory of 2008	1032	iexplore.exe	29
PID 1032 wrote to memory of 2008	1032	iexplore.exe	29

C:\Users\Admin\AppData\Local\Temp\18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe
"C:\Users\Admin\AppData\Local\Temp\18bec959794b8112be19a33257a28e3528a1b5013cc362a712e8246bf5371616.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://www.xuex8.com/
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1032
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1032 CREDAT:275457 /prefetch:2
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
60KB

MD5
d15aaa7c9be910a9898260767e2490e1

SHA1
2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388

SHA256
f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e

SHA512
7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ff05878bbf792e4f94175ab2fd6555e

SHA1
e42859b99922e1f1bac0cc5ba1c62b1e17871688

SHA256
c51cd2302febf37faaeb15b00db6bc07ec8b0fbb6bdc8e3b67b0bbdea9b50906

SHA512
8aa64d4a30dbbd5ba78420c4869b0647a143584860e553689c659ecf1b573631a8b718ca21cb43293063777ebd5101059e0b02f8fe909b66014412744e8a3215

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\SV1LBO1E.txt

Filesize
603B

MD5
8ab648a80708e522a2186502159092cc

SHA1
d089820184d9015ce4a495e7839efefe91cefbdd

SHA256
9d8d6e491283b3bde40b77f550069aed887145ee53e783f2d18fc5a55d36933c

SHA512
bc4bbdefd79f36f953782d772fa1885486392106650519d350336446117222f362f5c04647ba1e578123c5727c14842d807e47ef306c4e81699a709f707b7c46

Download Submit
memory/1688-54-0x0000000075601000-0x0000000075603000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing