Overview

overview

10

Static

static

235f0c77c2...d9.exe

windows7-x64

1

235f0c77c2...d9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-10-2022 22:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    235f0c77c2dc786c41617995f4324f715a9fedb262cce18cbf5bb2dbcfe849d9.exe

  • Size

    160KB

  • MD5

    61ec2f1e4cb8f360bf05023710b4b1ff

  • SHA1

    0983e56d0e2f57fc6f5dcf94883a0f3ab7b6cb84

  • SHA256

    235f0c77c2dc786c41617995f4324f715a9fedb262cce18cbf5bb2dbcfe849d9

  • SHA512

    878be4abdd3f290e71e4b290f5cc1cc0c18083470107f758fc8e37c9564280de199b775ad4b6bdd9e9487419d2767fae3502d69cbecae09c4ea103eb22fa2776

  • SSDEEP

    1536:o0K3a3E5YW/io2C+I4LQ54z2B814KX6hN2DDwRCPERykcb+L:I3aE5/io2C+I4LQ54z2C14KK3W8RCm/

Score
10/10
jokerevasioninfostealerpersistencetrojan

Malware Config

Signatures

  • joker

    Joker is an Android malware that targets billing and SMS fraud.

    infostealertrojanjoker
  • Executes dropped EXE 1 IoCs
  • Sets file to hidden 1 TTPs 2 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 3 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 46 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\235f0c77c2dc786c41617995f4324f715a9fedb262cce18cbf5bb2dbcfe849d9.exe
    "C:\Users\Admin\AppData\Local\Temp\235f0c77c2dc786c41617995f4324f715a9fedb262cce18cbf5bb2dbcfe849d9.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3724
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\duckload\1.bat
        3⤵
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Suspicious use of WriteProcessMemory
        PID:5108
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:4632
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f
          4⤵
          • Modifies Internet Explorer settings
          • Modifies Internet Explorer start page
          PID:4956
        • C:\Windows\SysWOW64\reg.exe
          reg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f
          4⤵
            PID:4552
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f
            4⤵
            • Modifies registry class
            PID:1412
          • C:\Windows\SysWOW64\reg.exe
            reg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\duckload\3.bat""" /f
            4⤵
            • Modifies registry class
            PID:1652
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\duckload\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:4404
          • C:\Windows\SysWOW64\attrib.exe
            attrib +s +h C:\Users\Admin\AppData\Roaming\duckload\tmp
            4⤵
            • Sets file to hidden
            • Views/modifies file attributes
            PID:3176
          • C:\Windows\SysWOW64\rundll32.exe
            rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\duckload\2.inf
            4⤵
            • Adds Run key to start application
            • Suspicious use of WriteProcessMemory
            PID:1868
            • C:\Windows\SysWOW64\runonce.exe
              "C:\Windows\system32\runonce.exe" -r
              5⤵
              • Checks processor information in registry
              • Suspicious use of WriteProcessMemory
              PID:4900
              • C:\Windows\SysWOW64\grpconv.exe
                "C:\Windows\System32\grpconv.exe" -o
                6⤵
                  PID:860
            • C:\Windows\SysWOW64\rundll32.exe
              rundll32 D:\VolumeDH\inj.dat,MainLoad
              4⤵
                PID:2200
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\duckload\2.bat
                4⤵
                • Suspicious use of WriteProcessMemory
                PID:1784
                • C:\PROGRA~1\INTERN~1\iexplore.exe
                  C:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?82133
                  5⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:1256
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1256 CREDAT:17410 /prefetch:2
                    6⤵
                    • Modifies Internet Explorer settings
                    • Suspicious use of SetWindowsHookEx
                    PID:1380
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\duckload\1.inf
                  5⤵
                    PID:3772
            • C:\Users\Admin\AppData\Local\Temp\inl24DB.tmp
              C:\Users\Admin\AppData\Local\Temp\inl24DB.tmp
              2⤵
              • Executes dropped EXE
              PID:808
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\235F0C~1.EXE > nul
              2⤵
                PID:1192

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\PROGRA~1\INTERN~1\IEFRAME.dll
              Filesize

              5.8MB

              MD5

              cf320b30d34c5dc2dedf088ade964439

              SHA1

              d06cb72c01a83ad5b2149da3ed78a2e389aefa22

              SHA256

              0d02752c7abcd0f153ce1d133a4dc1a9aed16a4675dfa0108533226204a426f2

              SHA512

              c7d01969e99f6870a0aeebe276aafad33196f67d3723aecf29cf313aebefd9f7817a245b590b27b639be4e4046444d03a15d553d15ac3b3aceff89c2fbeb91b6

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              471B

              MD5

              60c5dda6c87529c1fdbe874fd534913b

              SHA1

              141dd530c67ebdac9998a8f253aede034519ebbb

              SHA256

              c210d69c28a4a6abb399a425ffb66797df7c3fcf3bfc9eab0bf0dc7e19fc84ee

              SHA512

              bfd86d9e0ee15f5b183070573cfd693e83ce1083aa9c061ce9e68ed0f38518352ccd11b5f78a4b9179bccbed6dad89ee2003b414fbc1e20cf835af7c57b232c5

              Download Submit

            • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
              Filesize

              434B

              MD5

              419d7a9e7629f69e1859ae203c7f6c4c

              SHA1

              7b0c531394bb62008a37ecd1ad96406ebf3500fa

              SHA256

              795514f1350b7e3aab3b9025797fa137ffbe5570136459c52ae26ddfdce25fe8

              SHA512

              3033a7739e6f29ef8e16b1617b36f56cb4f748f681802b51ababbcad07e7aa0b1309b4818c866b6e9dd451ac0c8cc7ff53a4f355d09973346fc0f3dc30bcab8d

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\cdf1912.tmp
              Filesize

              960B

              MD5

              5c85ce81bfb5a28f33edd9cb48743233

              SHA1

              5521f943791d643afcd6773155c0e0a52520f3fb

              SHA256

              33e516b86c6d5691ef255e802550b74580327e8ecb9aed6c7ac69dd7afa906c6

              SHA512

              d2757c893acbb4ebcd935a18d419e8e61f15c30dc0fe4fe7ea26e6a35b48daabd9afd7aea7ed2dca2e07f9d9f56e8c8a9023f5efa9cfd8c39b8285c69c617bd7

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\inl24DB.tmp
              Filesize

              57.2MB

              MD5

              606fd23f0e3aef8deeaec20783243b23

              SHA1

              72d660f3490cf26ae935e6f8c4ade942d8b84ae3

              SHA256

              14c39b9c917a987ca498ccf0bfb0cd599d00841331c23d0fb0f26cd6cf786949

              SHA512

              b64101427f4a269cc71db9150d6f062c1db98720f1dae2acf0a1786c5ab9fdf27283ba1553e9b80cc6257f52998cacd4cb76853b9d8476e689526fc8283613f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\inl24DB.tmp
              Filesize

              57.2MB

              MD5

              606fd23f0e3aef8deeaec20783243b23

              SHA1

              72d660f3490cf26ae935e6f8c4ade942d8b84ae3

              SHA256

              14c39b9c917a987ca498ccf0bfb0cd599d00841331c23d0fb0f26cd6cf786949

              SHA512

              b64101427f4a269cc71db9150d6f062c1db98720f1dae2acf0a1786c5ab9fdf27283ba1553e9b80cc6257f52998cacd4cb76853b9d8476e689526fc8283613f5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat
              Filesize

              55B

              MD5

              e191fedc0782635d37e36a8461827974

              SHA1

              523793f1e74d3ae481f5f42783244162efff4bfb

              SHA256

              9ee7d9d0f401b4fd51744d311c071bec10a20bc941385c5502c4eec958ae216f

              SHA512

              70094446f0ff5dac95902f6caabbe82046569f3fd37bf696648ed8213e1330c18b4d1cdfbc59a639aa52fb7c90192b9d3cd0e455660b1b5702d6c3bcdeed7c62

              Download Submit

            • C:\Users\Admin\AppData\Roaming\duckload\1.bat
              Filesize

              3KB

              MD5

              493c22f6b15f9766ae7c23794fc77da0

              SHA1

              43723ba660dbc1486f717441b58298d33b9f2048

              SHA256

              478b8c2f0dc23db49d62f987ca5e01afde54d7abff647894ad2e38f9d7fde182

              SHA512

              662644aeef7666b23b90b6ce08ea8271a7cb7379bad6920434d045fdcbbcd48b4bbb65620ac4a5c347e376ecf2ff60e115b869c74a28ca7776cf6fc83b01df34

              Download Submit

            • C:\Users\Admin\AppData\Roaming\duckload\1.inf
              Filesize

              410B

              MD5

              66a1f0147fed7ddd19e9bb7ff93705c5

              SHA1

              9d803c81ea2195617379b880b227892ba30b0bf6

              SHA256

              4f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764

              SHA512

              cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597

              Download Submit

            • C:\Users\Admin\AppData\Roaming\duckload\2.bat
              Filesize

              3KB

              MD5

              bc99bb6d1d1dd9a94046790ef52b118e

              SHA1

              eed678414bb1f34c9048591c954506d66c7b6763

              SHA256

              a55879a6440658bf2f99f3400775bf71239eaad4eb2ba6d56b0fd19e8247104b

              SHA512

              bfbcb8cb4ed16924b4c9680ad1d6c3e34a4cac30fe1b65cadabf2907c6534e95ca9a58c17519ccd2da0a70245eef48c5d31d60e90f6f2db58406f1fac3d20042

              Download Submit

            • C:\Users\Admin\AppData\Roaming\duckload\2.inf
              Filesize

              249B

              MD5

              989d5ced1a763799655ef548607bb348

              SHA1

              9cce73c2d866f8933b3d68c60517fa3d2f46632d

              SHA256

              625c71f2fd19c0a583a04417992d652e8e6733b32ad599d974c9546a87dda872

              SHA512

              c858c22dbf9eeb07e6c52684b0678bdc40d65d8e58dda43b4aae7c1f88384d73788a792fdc4b5e524676d3e72e0f548b0210a3034dd738eb1085fa510c685f85

              Download Submit

            • C:\Users\Admin\AppData\Roaming\duckload\4.bat
              Filesize

              5.8MB

              MD5

              cf320b30d34c5dc2dedf088ade964439

              SHA1

              d06cb72c01a83ad5b2149da3ed78a2e389aefa22

              SHA256

              0d02752c7abcd0f153ce1d133a4dc1a9aed16a4675dfa0108533226204a426f2

              SHA512

              c7d01969e99f6870a0aeebe276aafad33196f67d3723aecf29cf313aebefd9f7817a245b590b27b639be4e4046444d03a15d553d15ac3b3aceff89c2fbeb91b6

              Download Submit

            • memory/1256-198-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-182-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-221-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-220-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-215-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-214-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-212-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-211-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-210-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-209-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-208-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-159-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-207-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-161-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-163-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-164-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-166-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-165-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-167-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-168-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-169-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-170-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-171-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-173-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-174-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-176-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-177-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-178-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-179-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-180-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-202-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-184-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-186-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-187-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-188-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-189-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-190-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-191-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-192-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-193-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-194-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-201-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-199-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/1256-200-0x00007FF82EBC0000-0x00007FF82EC2E000-memory.dmp

              Filesize

              440KB

              Download

            • memory/3724-132-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download

            • memory/3724-227-0x0000000000400000-0x0000000000428000-memory.dmp

              Filesize

              160KB

              Download