Overview

overview

10

Static

static

fd82950563...01.exe

windows7-x64

10

fd82950563...01.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    162s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    13-10-2022 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe

  • Size

    59KB

  • MD5

    695edd78423b0707179148f2ce0c7ca0

  • SHA1

    a34db5ad4bf9f14cebd091353bff9f84f3286770

  • SHA256

    fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01

  • SHA512

    46b895657e44fc8d9af21903c30d054eb6728a252c28e347d1300dc49b7745d507196dfb91d60d307bc8cd2b7de7e4c329525c9f8d0f62e545afaec6e0937fd3

  • SSDEEP

    1536:gS9sf3ewWNlLC+U1xf4Trnm4GDvJO7kEd:gS9sfuwqBU1B4TrmBOA+

Score
10/10
jokerevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Deletes itself 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Drops file in Program Files directory 15 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 49 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 15 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe
    "C:\Users\Admin\AppData\Local\Temp\fd829505630a80cee334c85eaa40762589d651c033b87c998a1e3234a8514c01.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\1.bat
        3⤵
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:1404
        • C:\PROGRA~1\INTERN~1\iexplore.exe
          C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?82133
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1816
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1816 CREDAT:275457 /prefetch:2
            5⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1920
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\1.inf
          4⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1884
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /K C:\PROGRA~1\FREERA~1\2.bat
          4⤵
          • Drops file in Program Files directory
          • Suspicious use of WriteProcessMemory
          PID:468
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:1832
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f
            5⤵
            • Modifies Internet Explorer settings
            • Modifies Internet Explorer start page
            PID:672
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f
            5⤵
              PID:512
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
              5⤵
              • Modifies registry class
              PID:1012
            • C:\Windows\SysWOW64\reg.exe
              reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\PROGRA~1\FREERA~1\3.bat""" /f
              5⤵
              • Modifies registry class
              PID:540
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\PROGRA~1\FREERA~1\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
              5⤵
              • Sets file to hidden
              • Drops file in Program Files directory
              • Views/modifies file attributes
              PID:1692
            • C:\Windows\SysWOW64\attrib.exe
              attrib +s +h C:\PROGRA~1\FREERA~1\tmp
              5⤵
              • Sets file to hidden
              • Drops file in Program Files directory
              • Views/modifies file attributes
              PID:1080
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\PROGRA~1\FREERA~1\2.inf
              5⤵
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious use of AdjustPrivilegeToken
              PID:1492
              • C:\Windows\SysWOW64\runonce.exe
                "C:\Windows\system32\runonce.exe" -r
                6⤵
                • Checks processor information in registry
                PID:980
                • C:\Windows\SysWOW64\grpconv.exe
                  "C:\Windows\System32\grpconv.exe" -o
                  7⤵
                    PID:2040
              • C:\Windows\SysWOW64\rundll32.exe
                rundll32 D:\VolumeDH\jni.mp3,MainLoad
                5⤵
                  PID:1176
          • C:\Users\Admin\AppData\Local\Temp\inlC3CF.tmp
            C:\Users\Admin\AppData\Local\Temp\inlC3CF.tmp
            2⤵
            • Executes dropped EXE
            PID:2208
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\FD8295~1.EXE > nul
            2⤵
            • Deletes itself
            PID:2436

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~1\FREERA~1\1.bat
          Filesize

          3KB

          MD5

          b7c5e3b416b1d1b5541ef44662e1a764

          SHA1

          8bff7ea2be2f3cf29f2381d8007198b5991ca3ae

          SHA256

          f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1

          SHA512

          65dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc

          Download Submit

        • C:\PROGRA~1\FREERA~1\1.inf
          Filesize

          492B

          MD5

          34c14b8530e1094e792527f7a474fe77

          SHA1

          f71c4e9091140256b34c18220d1dd1efab1f301d

          SHA256

          fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713

          SHA512

          25bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2

          Download Submit

        • C:\PROGRA~1\FREERA~1\2.bat
          Filesize

          3KB

          MD5

          6cbd1848e570354769fb56efd38f3594

          SHA1

          d17d48036cdbd6a928729a16a34babc2bd49708a

          SHA256

          cd0076ca521c3a3a8845fb6dac00fc93da9803bca9e03c904516b3493f7ba13d

          SHA512

          ff8502603849d56807be7a4990d4f17459a7a60c446283e8656dc69b5dae6b4ef833e521f4b6a24a69e7867a03d8688bac14498a21c7aa950d9d889b61d8e2e5

          Download Submit

        • C:\PROGRA~1\FREERA~1\2.inf
          Filesize

          230B

          MD5

          f6dcb2862f6e7f9e69fb7d18668c59f1

          SHA1

          bb23dbba95d8af94ecc36a7d2dd4888af2856737

          SHA256

          c68fe97c64b68f00b3cc853ae6a6d324b470a558df57eac2593487978592eb2c

          SHA512

          eefe630b776d2144df39e9c385824374b3d546e30293d7efe10cc2d6bf6f2c932162bf80add1c8ca58afcc868ad02b3ffc104c0f111f3827f4385ee9f26f5e75

          Download Submit

        • C:\PROGRA~1\FREERA~1\4.bat
          Filesize

          12.3MB

          MD5

          6c07f9daf29bbf8971aaca412f9b76e8

          SHA1

          c5b43bd7c2ef462dc2ac633c554e6f22fe0bf228

          SHA256

          a36d54e330aabd23e79498dabd886f9ec96306cc2d049df253d4f0d03ea5d345

          SHA512

          bccb0ce3b3b01604be5e9edc22b92c9743f61ce5d80b91bd4f91e12c165cb0a6f443cd2d4ca7f9bc833677b0690ffc1ca2daff587e2a40c78f2edfc03cef3256

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\tcz8fqz\imagestore.dat
          Filesize

          5KB

          MD5

          93580f2496afe1d613db96321603c921

          SHA1

          d5f185b06de536b299d831c2908fe284afda6f68

          SHA256

          44636629f7ecdc7cee1c5bb815b9798745d35d08f5b62109510abdbc4d43adf6

          SHA512

          a5999bf5e82a82bc63ae15180da2c159e98592126b3666cabb9cb0b2cde667618927551495797e68602e772292fdaa9fcc4b228b88c9ab21d42fe7bf137da636

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\inlC3CF.tmp
          Filesize

          118.5MB

          MD5

          218c3e890f1dc4e92f74d20ef0decca6

          SHA1

          7b1cfe4b2e0e99cebf05daae8be2d453eddb597f

          SHA256

          7eed1580c59de5d5f892e48c992cd664451348fee6f276503a0b6408e22ed2f4

          SHA512

          ab918dcf109ea4b7f980a560ae7f0bbc283e35f04aa2e7085ed62bcabc753a5df05356bdcfead2b18a70d846c1576a32cda1f3c5140dc016718f430d4358dbc7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winrar_config.tmp
          Filesize

          629B

          MD5

          7c51a3cd196c154af76f7d57a475487d

          SHA1

          f2067dc3665cf3c7269eaec7022642bdc4a6a375

          SHA256

          ea89a5077fca265853fb87b8dbfc7c1c9bbf6a8d360cb0a01e6a6ce133086937

          SHA512

          efc22e2a44b93210aa1a5e44e98e01b57fff75b24023e093d75886c6103102e4e12f9e7a16b40f29d3fe63393e02b196df0c05aca9ae2eb29b8279950ba08f1c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\xcodewget2.bat
          Filesize

          36B

          MD5

          0b53221b1332efb76ebd2ab7120ff78f

          SHA1

          e3dda4d21e35819eaf50e50c2aab2950ff1505b5

          SHA256

          05bbda79058985c35a48637dcbc66c73176e1f7e4c95e8aef8b762066b780388

          SHA512

          877637688f255d94b94feb3b2444678836db41644f6e1a7d1f902c8c12bab45785393a8f210215eebcdcb3526002632863bf54f026047aa1edee8481b26dddcd

          Download Submit

        • \Users\Admin\AppData\Local\Temp\inlC3CF.tmp
          Filesize

          120.3MB

          MD5

          0e9922a183847227ed592875ab2325f3

          SHA1

          62333f5cd3fdbbd5945fe2dc95778a5b14cc9654

          SHA256

          91507a6a21c2ad4e9d7e56006b7c09d5b8c8c48eb08d9b8f71104b23528cec2f

          SHA512

          c79064241f325b4fa973ce68bdf19f204ec6dab5bad0ba20eeeb9e82c6428ed4981f13dd8a9a4a5c1b62be476d4409ff0a529a821fa4413cd20e26704d5c05e7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\inlC3CF.tmp
          Filesize

          114.7MB

          MD5

          2e7172b6ac75b39d59c4da3e62c4c1ea

          SHA1

          e6e845a9580a6648eefb41cf8cd435721fe8b7f5

          SHA256

          d79422b1d6c0539a1c98a57bc8ab76d1082ead997811a05f883c8a445dc77a40

          SHA512

          0ff890defa7956acd92407bef9ce999a6d7546204d500b72c7c59c6eb6b9cd17f5e6da6d01275576fb61b2dcfa128a9a2ad150d2451331e37e60f562c494e7ee

          Download Submit

        • memory/1532-92-0x0000000000930000-0x0000000000956000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-54-0x0000000075091000-0x0000000075093000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1532-55-0x0000000000930000-0x0000000000956000-memory.dmp

          Filesize

          152KB

          Download

        • memory/1532-75-0x0000000002E80000-0x0000000002E8F000-memory.dmp

          Filesize

          60KB

          Download

        • memory/1532-56-0x0000000000020000-0x0000000000023000-memory.dmp

          Filesize

          12KB

          Download

        • memory/2208-93-0x0000000000330000-0x0000000000339000-memory.dmp

          Filesize

          36KB

          Download