joker | 58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32

Analysis

max time kernel
153s
max time network
169s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2022 12:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Size

768KB
MD5

0905114401adca2d542bb147de69cf36
SHA1

391b3f25250d5cad4efbad8dab1f5bbe3c2b9c51
SHA256

58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32
SHA512

f60ae10658d1b4d0fd07da4e333d4dbcd2929552e8e8718f325abd351e862c05c488e52750b17a596a0e1dc2e63d9e549730c20b3a1d715fb11a63b78dc677c3
SSDEEP

12288:MoakyYIAvFGMTQzZr6VI5VaAGnA7wU23USvzf1zSjwpVkZCvDIhYdVytF3Npf/B7:FBII4r6VKaAaA7T2k81fkFYdVaFfpyiB

Score

10^/10

joker infostealer trojan

Malware Config

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\IESettingSync	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\51bfz.cn	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.51bfz.cn	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51bfz.cn\Total = "63"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51bfz.cn	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.51bfz.cn\ = "63"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "126"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\www.51bfz.cn\ = "126"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51bfz.cn\NumberOfSubdomains = "1"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\Total\ = "63"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Internet Explorer\DOMStorage\51bfz.cn\Total = "126"	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
988	58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe

C:\Users\Admin\AppData\Local\Temp\58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe
"C:\Users\Admin\AppData\Local\Temp\58ab164530a5835fd4c8ef3aff4f1d12c2fca4e63f2b8d07c28df48055142b32.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Modifies Internet Explorer settings
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/988-132-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/988-135-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download
memory/988-136-0x0000000000400000-0x0000000000588000-memory.dmp

Filesize
1.5MB

Download