Analysis
-
max time kernel
152s -
max time network
166s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-10-2022 04:31
General
-
Target
a2049a953d5ed411de9d9700e3e571167493050d3a5b2d47980f83e254e74270.exe
-
Size
140KB
-
MD5
4d0187825e40face7f78f84123d1f605
-
SHA1
22cc5eb22ec075c478c4b8577dd8bb649d2dafa7
-
SHA256
a2049a953d5ed411de9d9700e3e571167493050d3a5b2d47980f83e254e74270
-
SHA512
cf5ba0a4832e2f5559da61136693d78d04498f9114085fb116f67f52248a5b533008a1850a474f86c6570f0aae5436b65236813a7fbec749cd61ee10933ea5e8
-
SSDEEP
1536:nnMg2OVLjlevyaRLBnLuRgiaUxRIxecePKH5nKLV+X:M0LpeTLlamiaUxRIxecePKQW
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 45 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 56 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2049a953d5ed411de9d9700e3e571167493050d3a5b2d47980f83e254e74270.exe"C:\Users\Admin\AppData\Local\Temp\a2049a953d5ed411de9d9700e3e571167493050d3a5b2d47980f83e254e74270.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\start_min_bat.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://www.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3544 CREDAT:17410 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\1.inf4⤵
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\winzip\2.bat4⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?S"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?S"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\winzip\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\winzip\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\winzip\2.inf5⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inlF57E.tmpC:\Users\Admin\AppData\Local\Temp\inlF57E.tmp2⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\A2049A~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53facc60dceffd752f284e286f4ceeb8a
SHA1667ffb98ff425eeb8e3c4c85e0b9fee75cf76da4
SHA256a0583d0e827c3e2aabdfb4e99d6ce78e06eac265bd85f339559433571853f56d
SHA51226c16fd7d173aca60695d464035f639affbb0dcc74788b9246fa051a2bdcfa886e162014ff0eca751fcb90c84a17ab77bacfda1442249f4cbe6bb334c06ce317
-
Filesize
57.2MB
MD5d89a562495db82008802333cf32c44b6
SHA17188c90868205b6456015af0d60852c26114b4c5
SHA2566788b741b614775980ba8e17f03cf664c5150a1bd43d0005793ec76efea6d9ce
SHA512d1759b7704f1bd8241a2090dc7b739ae2245bf8aaaad4a6b58a41c6fcb7dc8fd7d88f322dee5fe192037359c23cfc0e9fcddd1ad07e3784e5f941ba9c15789c8
-
Filesize
57.2MB
MD5d89a562495db82008802333cf32c44b6
SHA17188c90868205b6456015af0d60852c26114b4c5
SHA2566788b741b614775980ba8e17f03cf664c5150a1bd43d0005793ec76efea6d9ce
SHA512d1759b7704f1bd8241a2090dc7b739ae2245bf8aaaad4a6b58a41c6fcb7dc8fd7d88f322dee5fe192037359c23cfc0e9fcddd1ad07e3784e5f941ba9c15789c8
-
Filesize
53B
MD59b41ad553fc0a87c014049dfede9e7fa
SHA1840b9c356ec59e65d33bae61c439b0abf11663bd
SHA256a4bd6b14aa9694ba74db5503576072036cd232d586b5e3dd3fe3dade84a67b5e
SHA5126de134478cd5052675cf936f3dc92fb823d72fc3d44c66f5d0755691481302f63cfe602dd7b492354487c9c5b692a09a404c1081265bb3676030cb43a64369b8
-
Filesize
2KB
MD568a30985a8b4a1dae5b24721ca5b8269
SHA178481107bbddcf18ffc4d25a184ec74274241a6b
SHA256fe94352a25ade782ea77db82f1ec849479ebfe4605156142fc3fdfabc507a0cf
SHA512d452182a296a9e202bce81ad0c752b34d4d779cac94bb54a07517936b79a4007127585673c524c75055f15e33c56eef0d26d1c448723a97fe70c15457bae5a24
-
Filesize
410B
MD566a1f0147fed7ddd19e9bb7ff93705c5
SHA19d803c81ea2195617379b880b227892ba30b0bf6
SHA2564f45ce85e221352f7fe26e04968c7f7267dc24b55cf2b72b929b4c90e48cb764
SHA512cfe51756ddec75d240249980a4d27870d15983add25058e4d0da4d8a3ea11384d4d228d6cbc95091f91e516e1ab4dfb1e315941dbd95bf717d4b31936311d597
-
Filesize
3KB
MD5c106ffc420b54a4f0fd331f10657dc66
SHA18930d5b56358f518bdf5ccca2b4d24f98ce7a03f
SHA256fb8218f8c607ec3a4c4cb6e59ee81a94cf8ff513d0b09565ad456c88a9e7250b
SHA512ee82fb57af0dddf8f1acab855cda151d3eacb8e11b0adc3a81852c1e2d77a566aa630ff5dabd8c7bc92ebe78b6187cc823c8a4a645ca78ee88e2c27483080fbd
-
Filesize
247B
MD5bf915cb73f6126d712c727039ad3d5e6
SHA173ff72a83711c90e45f8bd34505b3284fd2a870b
SHA2563fd8eeaededa0a76d36df51803c01fe328ba110702a625b28c25bc83f6ef5940
SHA512752387b92716e8e5296d24c532f16e17a955c8f02055c9fd66d4ff84c8f140d7f2a43cfbb4ff97bd5ba1eebc7fa0c215a9283a180a9598b1b413730d19db1957
-
Filesize
44KB
MD50e9bbf232fb2506d0223ebc7c6f42146
SHA12a79201fc56f1b2314e7f2123137481bc9223d0d
SHA256ff81c062c7253bb97d70819334b8580f4c3fa57014ad3bce8d635309e5c242b8
SHA512b0318030a0eb3f06112b2fecaf66a116c347c29d8d7616d45df67f90fde88a3e0f592f703d8f1ff2410dd772a79add034fdc6242ea1da0758a326666b8f74da2
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB
-
Filesize
440KB