Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-10-2022 04:31
General
-
Target
dab3dde6b604078481c0e2e7f5932569276c79e943ff80b5ca86fcfc3e1475f9.exe
-
Size
46KB
-
MD5
58a67f1e9941af97d4d4fe3bc39a294f
-
SHA1
955d2e6eb77e1412ee4d0dd493a8b03f4f9e3446
-
SHA256
dab3dde6b604078481c0e2e7f5932569276c79e943ff80b5ca86fcfc3e1475f9
-
SHA512
ac917fa20e587f9dc10bd9c34b3180f3e85d7ece778619cf3272056de7b12d521f512b34f0b2c4b25471ea0467bdcb648b23056439e8eac6eaa2f34cd44d2828
-
SSDEEP
768:dCObWQJdEEUSuyJlsCEQ6yz6zxktAZikqbC/oJxK2ZOZPYV1QL:bsSuynIUtAZikqbC/IxfZOS1I
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 50 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\dab3dde6b604078481c0e2e7f5932569276c79e943ff80b5ca86fcfc3e1475f9.exe"C:\Users\Admin\AppData\Local\Temp\dab3dde6b604078481c0e2e7f5932569276c79e943ff80b5ca86fcfc3e1475f9.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3596 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\2.bat4⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\winzip\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl4F56.tmpC:\Users\Admin\AppData\Local\Temp\inl4F56.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DAB3DD~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
471B
MD57550b85aee4221c59808672005ed8855
SHA1aeb269eff06f518132b9ecea824523fa125ba2d2
SHA2562b1c1e36c5419b7b3351aad8a08fee019473c832fe242ec2bf438b160d5eb8b2
SHA512216d401cb461099f7d2f3626957800cba77308b790ec181e2affb97339570bb9e168a56f3264cad79cd60589637679728fb2a87199a91667dc3ccfd4117f2bab
-
Filesize
434B
MD5125c619e5889c718ef7bcde9e3984725
SHA146e14d83a729f583beb185267f88833c6f580a04
SHA2560f5c937f5d41aa941580b6631efea5ab478798ce3678e5dfc12d6b81736e57ca
SHA512432313fbff86951ed4c5bc227e7e313784a076f2bd6a3c8164b15c0757f91cda9a90a849b0a3469fce39400c8af252cc33da1b4ce273fe0fcd8d92cc450195e1
-
Filesize
1KB
MD58fbe2328f04251245fd79bde4b926a76
SHA1def1a38d89fa52c8cc5058ff610f95fcb1b300e7
SHA256d9d5ab8da43c37e7f5e5eb1ddee1e75ef127eebbc2231d8bddae1d9ea4509e0b
SHA51238c025b7acb728c5e307cc725cabf0af39f5422d39e5a6c82e61f4c68c8b78957199f8a329ef80271cfe143710f05cfa0c65c79a200ecb591a4c1ee233b69c2d
-
Filesize
1KB
MD55aa2590df5a24c322b3e3dca5e3fdd0e
SHA1b9c2e7e8ab6d8440b1f29e298513641f3c448799
SHA2564fbf8c920a71e802499002eba6ec8ac64e16370e464b67d6ad9fc5a90c2eb572
SHA512deba63181d0c516d0c93955e7c93d84784576990624f6534be710bfd1dbbc0c08f0a0fe55c1c2d2f843181365fbcd3c85fe241e124c1d726c7771ee8e4da7e96
-
Filesize
57.2MB
MD5efc63b47bef993f58440b3dab7882d9b
SHA175dacc403adcd83bbbe27e2a1f8a25d4637df95c
SHA256ddd78ef7716b6168bd633d73ca9d2fa7ee4aa13db3fb05316cbf1ba589c5047b
SHA512c6598c67be0e058634a47e9b9bfcb9bf50ba5a4bba5acd9f08548c4caab1dc943c66256d62e521db0afe83294311a5f2db553a7db50c668234f1f895d53dd57f
-
Filesize
57.2MB
MD5efc63b47bef993f58440b3dab7882d9b
SHA175dacc403adcd83bbbe27e2a1f8a25d4637df95c
SHA256ddd78ef7716b6168bd633d73ca9d2fa7ee4aa13db3fb05316cbf1ba589c5047b
SHA512c6598c67be0e058634a47e9b9bfcb9bf50ba5a4bba5acd9f08548c4caab1dc943c66256d62e521db0afe83294311a5f2db553a7db50c668234f1f895d53dd57f
-
Filesize
53B
MD59b41ad553fc0a87c014049dfede9e7fa
SHA1840b9c356ec59e65d33bae61c439b0abf11663bd
SHA256a4bd6b14aa9694ba74db5503576072036cd232d586b5e3dd3fe3dade84a67b5e
SHA5126de134478cd5052675cf936f3dc92fb823d72fc3d44c66f5d0755691481302f63cfe602dd7b492354487c9c5b692a09a404c1081265bb3676030cb43a64369b8
-
Filesize
2KB
MD568a30985a8b4a1dae5b24721ca5b8269
SHA178481107bbddcf18ffc4d25a184ec74274241a6b
SHA256fe94352a25ade782ea77db82f1ec849479ebfe4605156142fc3fdfabc507a0cf
SHA512d452182a296a9e202bce81ad0c752b34d4d779cac94bb54a07517936b79a4007127585673c524c75055f15e33c56eef0d26d1c448723a97fe70c15457bae5a24
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5c106ffc420b54a4f0fd331f10657dc66
SHA18930d5b56358f518bdf5ccca2b4d24f98ce7a03f
SHA256fb8218f8c607ec3a4c4cb6e59ee81a94cf8ff513d0b09565ad456c88a9e7250b
SHA512ee82fb57af0dddf8f1acab855cda151d3eacb8e11b0adc3a81852c1e2d77a566aa630ff5dabd8c7bc92ebe78b6187cc823c8a4a645ca78ee88e2c27483080fbd
-
Filesize
247B
MD5bf915cb73f6126d712c727039ad3d5e6
SHA173ff72a83711c90e45f8bd34505b3284fd2a870b
SHA2563fd8eeaededa0a76d36df51803c01fe328ba110702a625b28c25bc83f6ef5940
SHA512752387b92716e8e5296d24c532f16e17a955c8f02055c9fd66d4ff84c8f140d7f2a43cfbb4ff97bd5ba1eebc7fa0c215a9283a180a9598b1b413730d19db1957
-
Filesize
44KB
MD5b25a2f925f955e3fea1ccf09d8d8927d
SHA19fe1bd1ded01bf866a0378022732a9d993719b3a
SHA256aafd32e2593a5254f0c02e5a9a93b7bc1554d38ba0753a4cbb71f8f879d3462a
SHA512378d65da3b5aceaa66c6bc42222a3adac8f316209daafc0bbd03cc766b86266048cd1c902422a0b61f78998ba4ab21cabb4aef8607be9eded3f683a48e117740
-
Filesize
128KB
-
Filesize
128KB
-
Filesize
12KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB