Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
155s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 13:50
Behavioral task
behavioral1
Sample
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
Resource
win10v2004-20220812-en
General
-
Target
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe
-
Size
27KB
-
MD5
48ef14c9e3f77ede2d868c1fe28154b0
-
SHA1
de131002f2034948de8cf1a714ff8c11417abf34
-
SHA256
fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f
-
SHA512
f9f40838845cb01a66c1504db479eb9114c798f678b5d0f5314bc1636eb2d5be04c6e3c0f4053ef099cfcd6287742ee0d11e4bbda92983a8a80b5adf36973762
-
SSDEEP
768:r51hwke4u9Ybj+i+RTf9PuONOsC9yoYf:rVFe4rbjsZpuRv+
Malware Config
Extracted
joker
http://tttie.oss-cn-shenzhen.aliyuncs.com
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 116 install1968982.exe -
resource yara_rule behavioral2/memory/4092-132-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/memory/4092-133-0x0000000000400000-0x0000000000414000-memory.dmp upx behavioral2/files/0x0003000000000727-135.dat upx behavioral2/files/0x0003000000000727-136.dat upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\open.ini fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4092 wrote to memory of 116 4092 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 84 PID 4092 wrote to memory of 116 4092 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 84 PID 4092 wrote to memory of 116 4092 fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe"C:\Users\Admin\AppData\Local\Temp\fe83311ce241e5b34fd0cfe567eb20039bdc8d2e6c71d02fdd2050b2a536fd2f.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"2⤵
- Executes dropped EXE
PID:116
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.6MB
MD5512fe2eb54dde3c922ce73c075a592a1
SHA14332a256f0a77381ecd11e823475c335691325d7
SHA256110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e
SHA512a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e
-
Filesize
4.6MB
MD5512fe2eb54dde3c922ce73c075a592a1
SHA14332a256f0a77381ecd11e823475c335691325d7
SHA256110f6a132f05a0d7b31d449beb75c7b22cd1fd409d50b32ded10e8ac305d852e
SHA512a3f6fda13e054d5f3f52f0b62895c94b467b32e5811bf52e91c7c747554204af150c0bddce229bcd4b912c575079376ffdd02dbe281d2a59f1f6824b464b993e