joker | fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f

General

Target

fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
Size

27KB
MD5

48ef14c9e3f77ede2d868c1fe28154b0
SHA1

de131002f2034948de8cf1a714ff8c11417abf34
SHA256

fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f
SHA512

f9f40838845cb01a66c1504db479eb9114c798f678b5d0f5314bc1636eb2d5be04c6e3c0f4053ef099cfcd6287742ee0d11e4bbda92983a8a80b5adf36973762
SSDEEP

768:r51hwke4u9Ybj+i+RTf9PuONOsC9yoYf:rVFe4rbjsZpuRv+

Score

10^/10

joker infostealer trojan upx

Malware Config

Extracted

Family

joker

C2

http://tttie.oss-cn-shenzhen.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1668	duba_1_244.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/852-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/852-58-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x0006000000015c70-60.dat	upx
behavioral1/files/0x0006000000015c70-62.dat	upx
behavioral1/files/0x0006000000015c70-65.dat	upx
behavioral1/files/0x0006000000015c70-64.dat	upx
behavioral1/files/0x0006000000015c70-66.dat	upx

Loads dropped DLL 3 IoCs

pid	Process
852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
1668	duba_1_244.exe
1668	duba_1_244.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\open.ini	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30
PID 852 wrote to memory of 1668	852	fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe	30

C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
"C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:852
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
3.8MB

MD5
ab982b62764e99f66bc6c93d142ad2aa

SHA1
402cda94b7fdfd54773cdd1fb8fbd16f2777a391

SHA256
e3127d24277153588925a8ae07f715d09e0b5f8af4738aa35757205a047ce4f8

SHA512
41f2a77eb688d9d0660834e01d5130f9439ce7abc86d80d0b7982ec293af4bd5c89b92ce71f8d0a8d4e979a863bec033ee249fbcd3c76e667534b79d6515800e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
2.0MB

MD5
ca38f20bf0c961808fcdf0db03efaf34

SHA1
556381f6afd264d8011ac0ff46cf9db15e488ad4

SHA256
bd1abd55396f55c001b63115591be702d36f9d0aba7781806393149f4779934d

SHA512
9b7dec0a67454454d3112df2ef51fb62012056136011f67137ce5d05714efaf6a711003048d3761713166d648fdfa41b0474f563d1a9a2e32c31977b709bb05a

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
4.3MB

MD5
0e9222677098433e781a801a8d535997

SHA1
842420b51161486823ff4b9fea742fd6869a2fac

SHA256
1cbd1f9c4a194dc514cc8cc069ffbaf0d28fde450f72d363dc2ab8e360be2d2a

SHA512
b78c4e2bda8a53542a0c35113567f0864a9119ca231d165859700a9fd4db1980a8f857915a71e533efa956a825cf60a6715784382eeea77d956c592b60cb95b8

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
2.1MB

MD5
3d0428d105e0514a845d4e50b07a2116

SHA1
e935472c33cebb92ef58c98dd230d92366c4fefe

SHA256
eef20779e1d508d0663aa338536b9ba9c11ee30520a3e0632a6878d4c3855845

SHA512
676d40cc6ba763ca53f7277ca519e30eb8d9688b653f5ece50dcad19c1c322e4411b7de617654beea9fda61b63ede1d259f02f5c29387775eb0791a8a1bccfa6

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
2.0MB

MD5
d738ca3f94350c5a105fb357ba7a2d16

SHA1
97499fb81818d2e06353e3cb105b4b9d75bd4d78

SHA256
672cd7a8e1e736f5b57b23e981a76d6ef4fc10f6e2e0e68c9563dcc371ec91b9

SHA512
a791c18faa766c5e75187b89fb33dccaf10bb811c9924c37ffc7d4803188051ed0c35be22810cb7fdc87c076fb567cc0859caeb1c323132a9188c69ce825ebba

Download Submit
memory/852-54-0x0000000075ED1000-0x0000000075ED3000-memory.dmp

Filesize
8KB

Download
memory/852-57-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/852-56-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/852-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/852-58-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/852-59-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing