Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
20-10-2022 06:32
General
-
Target
1b9e70dbc5ca79b94c2bc3d320d73c651bbebbfe844951478004a8a2da72105a.exe
-
Size
54KB
-
MD5
81592a3f75a99dfa045ad7c81845644e
-
SHA1
0f835a0d5c77df9280de6931e83e7b48b32d5504
-
SHA256
1b9e70dbc5ca79b94c2bc3d320d73c651bbebbfe844951478004a8a2da72105a
-
SHA512
9232bdcfd598ae54231bcd7b25f1084fd7ef3680b2594e79fc841d48c5448a3e7b05057c8ebefbdbf6b9ca904bbcb7fed2a6e4c2db040391693e3f02939ea32a
-
SSDEEP
1536:/SL+LGddTrHiU2YkRus1ttxshjL7kAq3nq:/p85ziUxkRus5u7kR3q
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 46 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b9e70dbc5ca79b94c2bc3d320d73c651bbebbfe844951478004a8a2da72105a.exe"C:\Users\Admin\AppData\Local\Temp\1b9e70dbc5ca79b94c2bc3d320d73c651bbebbfe844951478004a8a2da72105a.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\glk_300_211.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?716284⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4300 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\datread\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.71628.com/?i"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.71628.com/?i"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\datread\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\datread\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\datread\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlE65.tmpC:\Users\Admin\AppData\Local\Temp\inlE65.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\1B9E70~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD56a15e3564b9eb382fe5534f59d6fccb4
SHA1911dbc1a988c2d6816beb0c21c4ea5402253b884
SHA2566b478c66c9a2024177d4a478ccea9a82f3162aa87a5125a0dc3750c920bdbc62
SHA5122801f46d495eed08dbb10e73ccda4828faf4ef6b1ff3ff45ce8d73331e692381c25417d15c958f8c3f9c6932300cd0e66b1aad6bb5a92e2bf27b338b6d245711
-
Filesize
434B
MD5272012947636441e59e8a3ec98f20c93
SHA1512f207970fad84735180fb8c3c27193a2e5acfa
SHA2569e5f9fbd0ccb5af9982bab16bd16fb69551d7c512a9fab6e44701b3257a8b030
SHA512cf6c07f4b28724e17ccafe0c5440a37975bf1b966b404ba90c0c390397740a27eb355c25884bb74273b3e60a7d3c772b23520f7ad8266e199dea0192b78ab81f
-
Filesize
862B
MD5b533a53b580cdb4e18117cbc64d3a109
SHA1c991646abcbc6b6bb4742f6120e22732a98d9d0d
SHA256bc4e0834805c823cdb6d763b6084c1dedfbab74eac2dda27de2457bc1ee9fccf
SHA512e4d213e081d7abffc54ef03bc821e627d3ba0c178fba3bc3fb2b58fb1f84c559cad2d2ff54e1f9bfbcaf7507c4346a864c6c8eb7babc7f1c06c264519a38886a
-
Filesize
54B
MD55dd457b845e53fce36e6b543764337e4
SHA1eb7f8ce82274afa5702b20eb5ba133bb71bcb8d6
SHA2560a2c605c32f2e9b3eda6f18df3d8c1fc2d87922b9bb23d6c3a9de3aa3f383992
SHA5120fea97ddf333c178ca4805fc85f8b66f81a7906d1cc7bf440206aff50cc711643e90115f046077a323b3cc78deeb704f7eb8a934d0a1cd011f6a3ad67057c9f6
-
Filesize
57.2MB
MD505e9567d732313acc340da6da6693cd0
SHA113c07020b34fe2253fdf1dfd94b432540c00af70
SHA2565f90dd5f1b64be41828fb380a74851c44740ac20d64fe53817c8753c1401c75f
SHA512c38f70aadbcc39a23376a822cdf386f8acb769c64b784a00e778d3f3279e0892a75e062b45c047b6e9a0873986c09c183ce885e60b39e12b93f7c1e6b24412bc
-
Filesize
57.2MB
MD505e9567d732313acc340da6da6693cd0
SHA113c07020b34fe2253fdf1dfd94b432540c00af70
SHA2565f90dd5f1b64be41828fb380a74851c44740ac20d64fe53817c8753c1401c75f
SHA512c38f70aadbcc39a23376a822cdf386f8acb769c64b784a00e778d3f3279e0892a75e062b45c047b6e9a0873986c09c183ce885e60b39e12b93f7c1e6b24412bc
-
Filesize
3KB
MD560b83f28f7a84b223dc19ffdfff482fc
SHA1f33a5aed6ba5fc5b07df49da757cc089ee0152ac
SHA2564f7d844924c5fb8be4b9f12f602597a54273c8abe9baa715fd0148b3404a3eb4
SHA51254cc35b7550f7082160344b7cb5b2772bbd9c89093c78bd5044a838ac9c91585d85d87c0f1229e4ff0d5d2f27377edac13c538b17197a8f266e678adb03ee4e8
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5d4917ae9072a10d8e12ef3b282b25b3b
SHA1bd9ec6c6395997525ec7c15ecca2f115573cc14c
SHA2566f7649988962c61ac7644262ee6082ef352bbb00cb155a3f4ef0467fbdf1c67b
SHA512c6ed3119e008191ad56050f6b72a2d64e908c57e80fd0c252b8b1947cf091644c83b6bc16c56d6e2153579eb3e8711c8cd608977426a0906d56a7713bfca309d
-
Filesize
248B
MD5c5eaacddf7fe93d130f1eb67f3fc2d9d
SHA1ce20a3a2d9925fa4672884ffda2ee200c06ad7ce
SHA256c740a578ef5867e18bc914ef724c8258a324b4f35591690e91329a10d17f6b45
SHA5121f9529123cf74f1c53f75d81b9b6dabb127fcef0067c104c5ca044e28450083fa379c256d63d07d4e4053f197c24e02f9e2ab4507f8bb1068032598b52bbbf77
-
Filesize
5.8MB
MD554736c702fe0c447a5a0c3b90d5c975b
SHA1d01b8880ee80e410c5f191d3be441644b1771074
SHA2560908ac53bf60b6a87a31e6561803d1f36ff7c32b7c63ee7f3107d269a298e5a3
SHA5121a9870c041eddd006a67205f000e72ffbc794bc5e0b6749b8a4d8833b7462bf321e83e966f9cc55912152832d84e998f5c8f62a1b307507d1d797c32db333137
-
Filesize
12KB
-
Filesize
148KB
-
Filesize
148KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB