joker | 20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

Analysis

max time kernel
91s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 13:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
Size

765KB
MD5

8de76e6a5598a529a98333a0d75ba88c
SHA1

c54d54f6b63c2013de278660bffc892b6d4c34b2
SHA256

20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae
SHA512

1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711
SSDEEP

12288:6kS8kaK+mrZCTbwGDzur7RtTdpuvYcSMSgKnPlBYC/4RYe491ue814MGEReL/9VG:I8A1CrzuHRtTdpuvgwKnPK749rHMGEkO

Score

10^/10

joker infostealer trojan upx

Malware Config

Extracted

Family

joker

http://guup.oss-cn-qingdao.aliyuncs.com

https://gutou.oss-cn-beijing.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
2508	Temp.down

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1756-132-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral2/memory/1756-133-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-134-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-135-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-137-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-139-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-141-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-143-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-145-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-147-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-149-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-151-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-153-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-155-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-157-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-159-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-161-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-163-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-165-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-167-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-169-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-171-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-173-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-175-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/files/0x0002000000022e0c-177.dat	upx
behavioral2/files/0x0002000000022e0c-178.dat	upx
behavioral2/memory/4332-180-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-181-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-185-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-183-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-187-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-189-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-191-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-193-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-195-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-197-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/4332-199-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-222-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral2/memory/4332-225-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral2/memory/4332-226-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/memory/1756-223-0x0000000010000000-0x000000001003E000-memory.dmp	upx
behavioral2/files/0x0004000000022de6-228.dat	upx
behavioral2/files/0x0004000000022de6-229.dat	upx
behavioral2/memory/2508-230-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx
behavioral2/memory/4332-231-0x0000000000400000-0x0000000000668000-memory.dmp	upx
behavioral2/memory/2508-232-0x0000000000400000-0x0000000000A0A200-memory.dmp	upx

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down
2508	Temp.down

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
2508	Temp.down
2508	Temp.down

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 4332	1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	85
PID 1756 wrote to memory of 4332	1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	85
PID 1756 wrote to memory of 4332	1756	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	85
PID 4332 wrote to memory of 2508	4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	87
PID 4332 wrote to memory of 2508	4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	87
PID 4332 wrote to memory of 2508	4332	20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe	87

C:\Users\Admin\AppData\Local\Temp\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
"C:\Users\Admin\AppData\Local\Temp\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe
  C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe Ìæ»»³ÌÐò 1756
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4332
- - C:\Users\Admin\AppData\Local\Temp\data\Temp.down
    C:\Users\Admin\AppData\Local\Temp\data\Temp.down Æô¶¯³ÌÐò 4332
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae.exe

Filesize
765KB

MD5
8de76e6a5598a529a98333a0d75ba88c

SHA1
c54d54f6b63c2013de278660bffc892b6d4c34b2

SHA256
20b80e22a25e54adb3dc9257fc3b5d7de95a5134e109b46cdea6418626e0edae

SHA512
1e900552d5a859885c19fd3f5282a6e543512cc8ac83931d6bcbb377a5b9f2cc6f5095626c7bfc2a17d78d35e33631868841d8147cb74f4a99916cbdd51ff711

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Temp.down

Filesize
932KB

MD5
9d2022e1f315a8ed89829d4d7ad092ac

SHA1
824b3e6b798a8720fa3caa213b64412fdad5024d

SHA256
73f625d9f9fb4dbeadfc4bdb847f732419f5b91229828b10a8f9e2fc00d9482e

SHA512
8e8693231e574b62c2093ec071d048786e65477e80d777fe69faaf9e0babba668dbba28684c341651533657f84b53fb6f1d140a33cecf3995e3283d2d4f1a453

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\Temp.down

Filesize
932KB

MD5
9d2022e1f315a8ed89829d4d7ad092ac

SHA1
824b3e6b798a8720fa3caa213b64412fdad5024d

SHA256
73f625d9f9fb4dbeadfc4bdb847f732419f5b91229828b10a8f9e2fc00d9482e

SHA512
8e8693231e574b62c2093ec071d048786e65477e80d777fe69faaf9e0babba668dbba28684c341651533657f84b53fb6f1d140a33cecf3995e3283d2d4f1a453

Download Submit
C:\Users\Admin\AppData\Local\Temp\data\setsoft.ini

Filesize
120B

MD5
1286d7c1a9dc5d654b2790057534486d

SHA1
8ecc25c015f325d8f6988e9f3258498eb48182bf

SHA256
942e1f2cc243a0bbaab0978896db8db29021ad2bd7e38d24d9a26107c52fa5a8

SHA512
bf5568d51c2d163021a2ba74e8fd0b9df234af10701c1cafcdae0426586e171d1d9b56c84dde5a40a5baa43d711122637fd7c7c3f55c0bb5df6b06bba45c6356

Download Submit
memory/1756-153-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-141-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-143-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-145-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-147-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-149-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-151-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-132-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/1756-155-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-157-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-159-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-161-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-163-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-165-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-167-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-169-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-171-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-173-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-175-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-139-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-133-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-134-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-137-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-223-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-135-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/1756-222-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/2508-232-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/2508-230-0x0000000000400000-0x0000000000A0A200-memory.dmp

Filesize
6.0MB

Download
memory/4332-195-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-185-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-197-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-199-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-187-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-226-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-191-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-183-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-181-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-193-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-180-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download
memory/4332-225-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/4332-231-0x0000000000400000-0x0000000000668000-memory.dmp

Filesize
2.4MB

Download
memory/4332-189-0x0000000010000000-0x000000001003E000-memory.dmp

Filesize
248KB

Download