joker | 8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906

General

Target

8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
Size

13KB
MD5

621a06b7a728836e6754109400490cf3
SHA1

f1d8dd147ba5d78023e5fbc222c39339e1a4e1c9
SHA256

8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906
SHA512

45fac9bc29b82f8121031045af76e921d426d165f6d02931dcddbef0011246db75120dc054a42bac0bba2f69ad1761d98ed818445a59d3c97efc65cb86533a94
SSDEEP

192:fkJPOmwlDu3KTWbiUq6q82TgNJsMrCA6D5wMD+:fkxCDMkWwf820NJsMrtiD

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0400000001000000100000005f7da9b3873a205c74c7aeab20190eec0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf654343140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce9012000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 19000000010000001000000062ad758a7a5d9f2dff6b04551cc4efa2140000000100000014000000384a5d2bed2b886a7d2286dacc403efb1efce90103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543430f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae010400000001000000100000005f7da9b3873a205c74c7aeab20190eec2000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\92A862854CBECB94F51CD71F036C165CBF654343\Blob = 0f00000001000000200000000a043e59706f30e9f239884aaf50ab06211f0613bb9e0bac5886fd92654fae0103000000010000001400000092a862854cbecb94f51cd71f036c165cbf6543432000000001000000f9020000308202f5308201dda003020102021003640d8154647d4bbd57bafeb03febd0300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3232303832333135303030305a170d3237303832323135303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100cd712faf2021aa79a38e90a222d140b84a8b84755762d5c04902f18e27cb243fb60fb0eb11188bf7848b950c4d1e9bfe0264d67d7a3f2bbb6d11fc6c2b981feb4d523f965953261ad93e573205b33a6e032e3e73fa85f5104d44c787cf98575d8bde2fc83801727e17f7b0f94d81befa73fb36ceebdc5fc087eeabcf6f95a88a021bbaef83fa759f4b7e789d0f6ac0268025d6079b3e1b50993de3ad42eb85ce2d94f31328c27dfd1b29e9fb141c3cb6c5c8614d79f1c884eea47a6b26e221052142990f8b44ec224bb1f2f56b9815a967dfb798987f54f8a87931ff207520041f05b219fae3dfff9c12ed5eba0d77d082cdf0ceb1a22ea91a5bb9d0923fabd10203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414384a5d2bed2b886a7d2286dacc403efb1efce901300d06092a864886f70d01010b050003820101002942a3355d3813094d4e4f1bb85f1f95cec9dad805ce011b618ae170c0cde717754f05e24cf931bcb008caccb857ad05db7d23f23931fe8e3ea223a18a6ca72ff33285112751fc432b7a07458feb9f1a6dc6422d84c443ab7bef51f8411d49023cdbf96b699b33bed8397c12bb2c5f424818f31b5ae84fbda9435a52f71b6fe73294af50452c005d5db788e8ad7ee144a4675a3a0d8468699fad17ebffffb4be8fa6f6e15ab18da2d644cedffcb7d210645ff6fcfb9c1bd348ae5d3f452c2e73e11e47f13779f5ea68ef8376b35c8d814f965a3f53c9592b36ca9ea4bccf6acbf5ca6f2e6b97403a441db1aa2e26b5b46c033997dc84116faab4c9d8faac9e07	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1900	8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe

C:\Users\Admin\AppData\Local\Temp\8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe
"C:\Users\Admin\AppData\Local\Temp\8177aba4759b8e10fb6bbf7c0948c973028bf7e6be9a2d78019d6d721e153906.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1900-54-0x0000000000C40000-0x0000000000C4A000-memory.dmp

Filesize
40KB

Download
memory/1900-55-0x0000000075561000-0x0000000075563000-memory.dmp

Filesize
8KB

Download
memory/1900-56-0x0000000004B95000-0x0000000004BA6000-memory.dmp

Filesize
68KB

Download

Analysis

Sharing