Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
186s -
max time network
190s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
20/10/2022, 13:50
Behavioral task
behavioral1
Sample
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
Resource
win10v2004-20220812-en
General
-
Target
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
-
Size
27KB
-
MD5
48ef14c9e3f77ede2d868c1fe28154b0
-
SHA1
de131002f2034948de8cf1a714ff8c11417abf34
-
SHA256
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f
-
SHA512
f9f40838845cb01a66c1504db479eb9114c798f678b5d0f5314bc1636eb2d5be04c6e3c0f4053ef099cfcd6287742ee0d11e4bbda92983a8a80b5adf36973762
-
SSDEEP
768:r51hwke4u9Ybj+i+RTf9PuONOsC9yoYf:rVFe4rbjsZpuRv+
Malware Config
Extracted
joker
http://tttie.oss-cn-shenzhen.aliyuncs.com
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 1668 duba_1_244.exe -
resource yara_rule behavioral1/memory/852-55-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/memory/852-58-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral1/files/0x0006000000015c70-60.dat upx behavioral1/files/0x0006000000015c70-62.dat upx behavioral1/files/0x0006000000015c70-65.dat upx behavioral1/files/0x0006000000015c70-64.dat upx behavioral1/files/0x0006000000015c70-66.dat upx -
Loads dropped DLL 3 IoCs
pid Process 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 1668 duba_1_244.exe 1668 duba_1_244.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\open.ini fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30 PID 852 wrote to memory of 1668 852 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe"C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852 -
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1668
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.8MB
MD5ab982b62764e99f66bc6c93d142ad2aa
SHA1402cda94b7fdfd54773cdd1fb8fbd16f2777a391
SHA256e3127d24277153588925a8ae07f715d09e0b5f8af4738aa35757205a047ce4f8
SHA51241f2a77eb688d9d0660834e01d5130f9439ce7abc86d80d0b7982ec293af4bd5c89b92ce71f8d0a8d4e979a863bec033ee249fbcd3c76e667534b79d6515800e
-
Filesize
2.0MB
MD5ca38f20bf0c961808fcdf0db03efaf34
SHA1556381f6afd264d8011ac0ff46cf9db15e488ad4
SHA256bd1abd55396f55c001b63115591be702d36f9d0aba7781806393149f4779934d
SHA5129b7dec0a67454454d3112df2ef51fb62012056136011f67137ce5d05714efaf6a711003048d3761713166d648fdfa41b0474f563d1a9a2e32c31977b709bb05a
-
Filesize
4.3MB
MD50e9222677098433e781a801a8d535997
SHA1842420b51161486823ff4b9fea742fd6869a2fac
SHA2561cbd1f9c4a194dc514cc8cc069ffbaf0d28fde450f72d363dc2ab8e360be2d2a
SHA512b78c4e2bda8a53542a0c35113567f0864a9119ca231d165859700a9fd4db1980a8f857915a71e533efa956a825cf60a6715784382eeea77d956c592b60cb95b8
-
Filesize
2.1MB
MD53d0428d105e0514a845d4e50b07a2116
SHA1e935472c33cebb92ef58c98dd230d92366c4fefe
SHA256eef20779e1d508d0663aa338536b9ba9c11ee30520a3e0632a6878d4c3855845
SHA512676d40cc6ba763ca53f7277ca519e30eb8d9688b653f5ece50dcad19c1c322e4411b7de617654beea9fda61b63ede1d259f02f5c29387775eb0791a8a1bccfa6
-
Filesize
2.0MB
MD5d738ca3f94350c5a105fb357ba7a2d16
SHA197499fb81818d2e06353e3cb105b4b9d75bd4d78
SHA256672cd7a8e1e736f5b57b23e981a76d6ef4fc10f6e2e0e68c9563dcc371ec91b9
SHA512a791c18faa766c5e75187b89fb33dccaf10bb811c9924c37ffc7d4803188051ed0c35be22810cb7fdc87c076fb567cc0859caeb1c323132a9188c69ce825ebba