Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
29-10-2022 20:24
General
-
Target
d5442275ac32fa2416bddc1a128fb947f48dca84abec1a78e4ac900424b3ca7e.exe
-
Size
168KB
-
MD5
84e72318c27f94e22fbc87114311752b
-
SHA1
da05125099140e4683aa4399af47e6346ab083e9
-
SHA256
d5442275ac32fa2416bddc1a128fb947f48dca84abec1a78e4ac900424b3ca7e
-
SHA512
0833fc748e6b4d8544f8914aefcb29fc94336534ff51786cadacc20b4da3769fc472f59c2576552e7a561f6b0e7e20e19a93c56f318f5fb9cb1745777b189c70
-
SSDEEP
1536:aHob+TnkkpRNGojAbnXlkjZ2G+7ErBnOZn2KcGO3Ekm+7UmNhG6n3+A:sOukkJGoEbXldaE5eAu
Malware Config
Signatures
-
joker
Joker is an Android malware that targets billing and SMS fraud.
-
Executes dropped EXE 1 IoCs
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 60 IoCs
-
Modifies Internet Explorer start page 1 TTPs 2 IoCs
-
Modifies registry class 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 16 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5442275ac32fa2416bddc1a128fb947f48dca84abec1a78e4ac900424b3ca7e.exe"C:\Users\Admin\AppData\Local\Temp\d5442275ac32fa2416bddc1a128fb947f48dca84abec1a78e4ac900424b3ca7e.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\teacher2011_check.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\1.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\PROGRA~1\INTERN~1\iexplore.exeC:\PROGRA~1\INTERN~1\IEXPLORE.EXE http://WWw.cnkankan.com/?821334⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1264 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\1.inf4⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Roaming\PPLive\2.bat4⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exereg add "HKLM\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\Microsoft\Internet Explorer\Main" /v "Start Page" /d ""http://www.82133.com/?o"" /f5⤵
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCU\Software\tmp" /v "key" /d ""http://www.82133.com/?o"" /f5⤵
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}" /v "IsShortCut" /d "" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\reg.exereg add "HKCR\CLSID\{971C5380-92A0-5A69-B3EE-C3002B33309E}\Shell\open(&H)\Command" /v "" /d "wscript -e:vbs ""C:\Users\Admin\AppData\Roaming\PPLive\3.bat""" /f5⤵
- Modifies registry class
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp\a.{971C5380-92A0-5A69-B3EE-C3002B33309E}5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\attrib.exeattrib +s +h C:\Users\Admin\AppData\Roaming\PPLive\tmp5⤵
- Sets file to hidden
- Views/modifies file attributes
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 syssetup,SetupInfObjectInstallAction DefaultInstall 128 C:\Users\Admin\AppData\Roaming\PPLive\2.inf5⤵
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\runonce.exe"C:\Windows\system32\runonce.exe" -r6⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\grpconv.exe"C:\Windows\System32\grpconv.exe" -o7⤵
-
-
-
-
C:\Windows\SysWOW64\rundll32.exerundll32 D:\VolumeDH\inj.dat,MainLoad5⤵
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\inl4473.tmpC:\Users\Admin\AppData\Local\Temp\inl4473.tmp2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\inl4473.tmp > nul3⤵
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\D54422~1.EXE > nul2⤵
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
61KB
MD53dcf580a93972319e82cafbc047d34d5
SHA18528d2a1363e5de77dc3b1142850e51ead0f4b6b
SHA25640810e31f1b69075c727e6d557f9614d5880112895ff6f4df1767e87ae5640d1
SHA51298384be7218340f95dae88d1cb865f23a0b4e12855beb6e74a3752274c9b4c601e493864db777bca677a370d0a9dbffd68d94898a82014537f3a801cce839c42
-
Filesize
342B
MD56a03560cfef62f16606fef6435584a75
SHA14d0eb3614192ccee0cafa3410ef39ec9ab939e6a
SHA2563a0fe44e3e3af3873135de562135595156d2b1d7e30cbb95080f42ffcb792f3e
SHA512f5a84855b2fd15e8da1f31d5a35459302dc9588c3d6ca41512be91391ea72e84a5f4af31e66db1fc735ee5d4a0077c32e17a470ddbd672ade15761c0ce2e83d8
-
Filesize
5KB
MD55fbfad1f36cbe37f51fece7a929a1ef8
SHA1e3280cd13a667e17b65aea2000fc45bb8199b1ff
SHA256970cd4be25a9f2d17aea89ca29f2ad028011c667d5c676df342e5069d328a53f
SHA5124ed912cd12357d81a7baf8aedecbbded98e805e306dbf7be1dccbc09042e203a6dad2b9e8b0780dfc521fb0a1a7242b5a15ca3f059331eb6d1329dbf8462f662
-
Filesize
122.8MB
MD5e540081aa305d846fd1e0c30a9367b1c
SHA1461ab2a1aabdcbb9948f8fa3c82942ec09c4b959
SHA256403144a9c369004f9c34f2ebe3970894ad57d5961eabbbf4b9348a9ed24c95a5
SHA5127985854fd1001309d46efc121ecea0a8c62c55f68a01bf9201be685fb2f4422f57374f7219cdec39aef606561da084d3961a59bfaec544de06ba0594efad93fb
-
Filesize
21.4MB
MD57fcfdfe4a6646afd49108ab9fb8f5f0f
SHA15ffa1d3509f96d337ee5b8491fbf704499de01d9
SHA256b9ba914828a43f89b33676bc3cb9302edfe33b8d60c1399357b08d753c0ce2a1
SHA512fe274f10a2165d1604f1a2a61df71fb7077d61aa8417137069a7a50eeda9f79f33dedcfa37aa2507f69af71d1266a97c08fc80a3f91955acadaa682db498db79
-
Filesize
53B
MD523962a245f75fe25510051582203aff1
SHA120832a3a1179bb2730194d2f7738d41d5d669a43
SHA2561abcea214b9b2bd76cc04be07ae2d4d70371e6ca443d99f4f1327afe7a5fc647
SHA512dc36b64f2dbb710652900a31295c148760b0c44eae13515aa29613916c9dffe3d8e55ba61568f7c27b43bf0c341f7dcd4b9c721f81627fc6bb915b15c358fe80
-
Filesize
660B
MD5c40ea8f677b3f48bfb7f4cfc6d3f03ab
SHA110b94afd8e6ea98a3c8a955304f9ce660b0c380a
SHA256b1a31a74cc88d0f8e39aaebf58a724b89391dc3fbac733953790edf8ded8172c
SHA512409b8a45576bf08e185446b13a512c115df7483ff8ec30ea51ee93ee1ac8153ae3b615650ff69a5d1e41fa0cd57fcdc4c5d03b4b4453431114ac018f48e194d9
-
Filesize
608B
MD5818988f0d5b92a598e9e9c3aa5be19e8
SHA1987a22eafe45fab30346f7f5d69fd3f746b83675
SHA25641cb243a338f47135d10287d4b9ae8f8aae8b32a2b6cdcb6fa44aede41114ff3
SHA512ed02e657fb9c89d4cb3615c3d0b2a0fec2bae3ca277f23e6ad86a70502bc28cda064903beccd76664242bdbfccba7cb8b04606051d86fe6a5a6df705bc247f6e
-
Filesize
3KB
MD5b7c5e3b416b1d1b5541ef44662e1a764
SHA18bff7ea2be2f3cf29f2381d8007198b5991ca3ae
SHA256f1a2f9fdebb3cac24756e53fa5e1628b2bd1cc130480c1878e3b3bc880575cd1
SHA51265dbd6a7a7cf6fec00e6b0f1d7d5655769e6087ad09cad74c91c5a3395e675ac8f9df5c7185327e6f8dd03ddb60504400f54237d9e4b53c8b08e7e3d41ee61fc
-
Filesize
492B
MD534c14b8530e1094e792527f7a474fe77
SHA1f71c4e9091140256b34c18220d1dd1efab1f301d
SHA256fe0dfb3458bfe2a3632d365e00765fa10f14d62e7dfa8b70a055c7eb9fdb6713
SHA51225bb09b526e1e9f5c6052f1f7c36b37c956c1b5649936af8df3abfcf120c931f3d2603e17a061cb99d8c8074bfb1973a5423cce89762fca53cd46aeb3e8944a2
-
Filesize
3KB
MD56b78cb8ced798ca5df5612dd62ce0965
SHA15a9c299393b96b0bf8f6770e3c7b0318a9e2e0cf
SHA25681f64f42edfac2863a55db8fabd528c4eefc67f7e658cad6a57eeec862e444e3
SHA512b387ba10021f3284d1406d520a2c8b3ba0c87922d67c79394c1aa50c631194519ac6bb5b898956533f040d48e1c7b202734e0075f8fc8c8bfab82c8ef359b28e
-
Filesize
247B
MD5ca436f6f187bc049f9271ecdcbf348fa
SHA1bf8a548071cfc150f7affb802538edf03d281106
SHA2566cdfa9b7f0e1e4ee16bc8ce5d7448d47ea8866c1f55f3e56be5c2a4d183ca534
SHA512d19e20aabddad6b0284f8c1d473e9180f30b49d4d8b54f26e7c8630228e16b1f6ba04023c5e8b1993d8a10d97adcfff683b216f79b9981bf16181641aebdd591
-
Filesize
12.3MB
MD5d1db27dd0d7191a328b2cada969288e4
SHA15f130ed8857bb5dca79e1181052ae9ecc27999a1
SHA2562ed86cbecad30b234e72128758a7ebf64dc0f0d8312b3f4d6fba91be4660170a
SHA512b28fd6c8ba3e7aaac98d8e1f82c2a3c98a20287eb118ff5b74398c3d7bbdac9587d13cffc8f5d17f8d85a4dbbf22e7e6dc30bad07d92d16c322e9a902dc17826
-
Filesize
122.8MB
MD5e540081aa305d846fd1e0c30a9367b1c
SHA1461ab2a1aabdcbb9948f8fa3c82942ec09c4b959
SHA256403144a9c369004f9c34f2ebe3970894ad57d5961eabbbf4b9348a9ed24c95a5
SHA5127985854fd1001309d46efc121ecea0a8c62c55f68a01bf9201be685fb2f4422f57374f7219cdec39aef606561da084d3961a59bfaec544de06ba0594efad93fb
-
Filesize
122.8MB
MD5e540081aa305d846fd1e0c30a9367b1c
SHA1461ab2a1aabdcbb9948f8fa3c82942ec09c4b959
SHA256403144a9c369004f9c34f2ebe3970894ad57d5961eabbbf4b9348a9ed24c95a5
SHA5127985854fd1001309d46efc121ecea0a8c62c55f68a01bf9201be685fb2f4422f57374f7219cdec39aef606561da084d3961a59bfaec544de06ba0594efad93fb
-
Filesize
8KB
-
Filesize
168KB
-
Filesize
168KB