joker | 20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

Analysis

max time kernel
48s
max time network
158s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
29-10-2022 13:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
Size

765KB
MD5

8de76e6a5598a529a98333a0d75ba88c
SHA1

c54d54f6b63c2013de278660bffc892b6d4c34b2
SHA256

20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae
SHA512

1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711
SSDEEP

12288:6kS8kaK+mrZCTbwGDzur7RtTdpuvYcSMSgKnPlBYC/4RYe491ue814MGEReL/9VG:I8A1CrzuHRtTdpuvgwKnPK749rHMGEkO

Score

10^/10

joker infostealer trojan upx

Malware Config

Extracted

Family

joker

http://guup.oss-cn-qingdao.aliyuncs.com

https://gutou.oss-cn-beijing.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1844	Temp.down

UPX packed file 48 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1348-55-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral1/memory/1348-56-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-58-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-60-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-57-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-62-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-64-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-66-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-68-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-70-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-74-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-72-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-76-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-78-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-80-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-84-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-82-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-86-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-90-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-88-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-92-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-96-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-94-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-98-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/files/0x00080000000139e4-99.dat	upx
behavioral1/files/0x00080000000139e4-100.dat	upx
behavioral1/files/0x00080000000139e4-102.dat	upx
behavioral1/memory/1856-107-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/files/0x00080000000139e4-106.dat	upx
behavioral1/memory/1856-110-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral1/memory/1856-109-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-112-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-114-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-116-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-118-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-120-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-122-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-124-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1856-126-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1348-151-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral1/files/0x000a000000013445-154.dat	upx
behavioral1/files/0x000a000000013445-155.dat	upx
behavioral1/files/0x000a000000013445-157.dat	upx
behavioral1/memory/1844-161-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx
behavioral1/memory/1856-162-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral1/memory/1856-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral1/memory/1844-166-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx

Loads dropped DLL 4 IoCs

pid	Process
1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down
1844	Temp.down

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1844	Temp.down
1844	Temp.down

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1348 wrote to memory of 1856	1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	26
PID 1348 wrote to memory of 1856	1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	26
PID 1348 wrote to memory of 1856	1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	26
PID 1348 wrote to memory of 1856	1348	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	26
PID 1856 wrote to memory of 1844	1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	27
PID 1856 wrote to memory of 1844	1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	27
PID 1856 wrote to memory of 1844	1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	27
PID 1856 wrote to memory of 1844	1856	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	27

C:\Users\Admin\AppData\Local\Temp\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
"C:\Users\Admin\AppData\Local\Temp\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1348
- C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
  C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe Ìæ»»³ÌÐò 1348
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\data\Temp.down
    C:\Users\Admin\AppData\Local\Temp\data\Temp.down Æô¶¯³ÌÐò 1856
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1844

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Temp.down

Filesize
932KB

MD5
7ec22099981f740c5c241c2aa4f3c201

SHA1
5100fe29d98dda7cab795f85e837f61c445c89d9

SHA256
d013fdf5892c9d9b5722d902a48fd71c8d17f409dd54952200977110045558f8

SHA512
8b704b84ce85785998ba181540e7882ea6ad20973257e940fdcccc90f368d80e5148c9b35e1300f5dbf687f8bca2d180f9690a9148fc9ca514d4d99ab0bca67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\setsoft.ini

Filesize
120B

MD5
1286d7c1a9dc5d654b2790057534486d

SHA1
8ecc25c015f325d8f6988e9f3258498eb48182bf

SHA256
942e1f2cc243a0bbaab0978896db8db29021ad2bd7e38d24d9a26107c52fa5a8

SHA512
bf5568d51c2d163021a2ba74e8fd0b9df234af10701c1cafcdae0426586e171d1d9b56c84dde5a40a5baa43d711122637fd7c7c3f55c0bb5df6b06bba45c6356

Download Submit
\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
\Users\Admin\AppData\Local\Temp\data\Temp.down

Filesize
932KB

MD5
7ec22099981f740c5c241c2aa4f3c201

SHA1
5100fe29d98dda7cab795f85e837f61c445c89d9

SHA256
d013fdf5892c9d9b5722d902a48fd71c8d17f409dd54952200977110045558f8

SHA512
8b704b84ce85785998ba181540e7882ea6ad20973257e940fdcccc90f368d80e5148c9b35e1300f5dbf687f8bca2d180f9690a9148fc9ca514d4d99ab0bca67c

Download Submit
\Users\Admin\AppData\Local\Temp\data\Temp.down

Filesize
932KB

MD5
7ec22099981f740c5c241c2aa4f3c201

SHA1
5100fe29d98dda7cab795f85e837f61c445c89d9

SHA256
d013fdf5892c9d9b5722d902a48fd71c8d17f409dd54952200977110045558f8

SHA512
8b704b84ce85785998ba181540e7882ea6ad20973257e940fdcccc90f368d80e5148c9b35e1300f5dbf687f8bca2d180f9690a9148fc9ca514d4d99ab0bca67c

Download Submit
memory/1348-105-0x0000000003B00000-0x0000000003D68000-memory.dmp

Filesize
2.4MB

Download
memory/1348-151-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1348-70-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-74-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-72-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-76-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-78-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-80-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-84-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-82-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-86-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-90-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-88-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-92-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-96-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-94-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-98-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-66-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-64-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-55-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1348-62-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-54-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-108-0x0000000003B00000-0x0000000003D68000-memory.dmp

Filesize
2.4MB

Download
memory/1348-56-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-57-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-58-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-68-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-60-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1348-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1844-166-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/1844-161-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/1856-126-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-116-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-114-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-112-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-109-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-110-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1856-107-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-122-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-124-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-159-0x0000000003200000-0x000000000380B000-memory.dmp

Filesize
6.0MB

Download
memory/1856-160-0x0000000003200000-0x000000000380B000-memory.dmp

Filesize
6.0MB

Download
memory/1856-120-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-162-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1856-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1856-164-0x0000000003200000-0x000000000380B000-memory.dmp

Filesize
6.0MB

Download
memory/1856-165-0x0000000003200000-0x000000000380B000-memory.dmp

Filesize
6.0MB

Download
memory/1856-118-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download