joker | 790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4

Analysis

max time kernel
188s
max time network
204s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-11-2022 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
Size

26KB
MD5

0f9b981d348df5e559eeb65ff6f94db0
SHA1

6e7bfc51cdbb6a3360d04e3bf01f39a5611d7581
SHA256

790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4
SHA512

7064ea627a92e3904b6789f43cc592c8cebee4428e2d9a9d9f3f68f0ad6fc3bcba5cf1d9bde304ffc29545fc68f694e0c9a343d500825fe84fabc43287d7a75e
SSDEEP

384:r6NhPbj62Tj9xec1JmLfBY5vX0kda6j0eohDTkVOhvF27z/FUxiWtBlwmRz:rem2Tbar+f0Ua6C9yoYf

Score

10^/10

joker infostealer trojan upx

Malware Config

Extracted

Family

joker

http://mmtie.oss-cn-hangzhou.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1820	install1968982.exe
1624	duba_1_244.exe

UPX packed file 14 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1456-55-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/files/0x00070000000132f6-59.dat	upx
behavioral1/files/0x00070000000132f6-61.dat	upx
behavioral1/files/0x00070000000132f6-63.dat	upx
behavioral1/files/0x00070000000132f6-64.dat	upx
behavioral1/files/0x00070000000132f6-65.dat	upx
behavioral1/files/0x0007000000012721-66.dat	upx
behavioral1/files/0x0007000000012721-68.dat	upx
behavioral1/files/0x0007000000012721-74.dat	upx
behavioral1/files/0x0007000000012721-73.dat	upx
behavioral1/files/0x0007000000012721-72.dat	upx
behavioral1/memory/1456-71-0x0000000000400000-0x0000000000414000-memory.dmp	upx
behavioral1/memory/1820-79-0x0000000000400000-0x0000000000600000-memory.dmp	upx
behavioral1/memory/1624-83-0x0000000000400000-0x000000000051E000-memory.dmp	upx

Loads dropped DLL 6 IoCs

pid	Process
1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
1820	install1968982.exe
1820	install1968982.exe
1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
1624	duba_1_244.exe
1624	duba_1_244.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\open.ini	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1676	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1820	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	30
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1624	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	31
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32
PID 1456 wrote to memory of 1228	1456	790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe	32

C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
"C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1820
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe.bat
  2⤵
  PID:1228
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM 790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe
    3⤵
    - Kills process with taskkill
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\790d1abe38d8263ce71f97605c9c474eb3eec57d64ddc61ccbcf23c28da117b4.exe.bat

Filesize
330B

MD5
9b3d5cf083852bc55319224bbe221669

SHA1
42abbb558a00806567aa7171d460d168841de854

SHA256
c8527b686b4d08195b68d7dc4e10951fb5d09824e8f669259cc24b0345c9f05f

SHA512
855ce361bdbf9621414212f68189711222aa5d9a65b519a6f8ce19f21a8bb21f537774a2a86ac729f9b7e8b8bc01e76260577ff7bc485ab74c6761afe94a11fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
5.0MB

MD5
82b307f3bfa0b7cfde87979e45c49759

SHA1
234b3846cb2d26bd5cab153670f1c17da6859a93

SHA256
524903f697d8034e6ae845b802d13325fd3a011c8db926bd57681eab8ea02e93

SHA512
e39518d480c5f85ac2e5e1e1e5030611d01ba1a080b689c15fa1c6d56ce3fa7fd5ec6f6baa34ff040ed88330e73078dba0cd044de89978dafd929daefc488f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
3.8MB

MD5
ab982b62764e99f66bc6c93d142ad2aa

SHA1
402cda94b7fdfd54773cdd1fb8fbd16f2777a391

SHA256
e3127d24277153588925a8ae07f715d09e0b5f8af4738aa35757205a047ce4f8

SHA512
41f2a77eb688d9d0660834e01d5130f9439ce7abc86d80d0b7982ec293af4bd5c89b92ce71f8d0a8d4e979a863bec033ee249fbcd3c76e667534b79d6515800e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe

Filesize
489KB

MD5
4803bd061651c642a3425e474cf7c7bf

SHA1
d70866dce3f296fb5bef6bcde13c356b0f8a7dc4

SHA256
7031bbb4bf7af95a180e62161897bf265c49b6cbe39907e5166ba4959b079a92

SHA512
a33a649bedf27cda725c00871d4ebfcd74128c8dfaf5f07e07eb110df94f5dede347ba7dbbdf60ca1b106cfbc8b757a4620ef2ef04035c40742a316cdd86971b

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe

Filesize
489KB

MD5
4803bd061651c642a3425e474cf7c7bf

SHA1
d70866dce3f296fb5bef6bcde13c356b0f8a7dc4

SHA256
7031bbb4bf7af95a180e62161897bf265c49b6cbe39907e5166ba4959b079a92

SHA512
a33a649bedf27cda725c00871d4ebfcd74128c8dfaf5f07e07eb110df94f5dede347ba7dbbdf60ca1b106cfbc8b757a4620ef2ef04035c40742a316cdd86971b

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
5.3MB

MD5
92d1169831ce07cc2ac0b3e40b6b078d

SHA1
9f66ead15904ff9337a292ee140f882084229e53

SHA256
951d8219aaa2de09daf312584cf6bb2bdf62edcf76e787cc9754160b95128b09

SHA512
a7db22585b56411ae339a0fb32c7e93112c1e2552e82a83229b176387ac461f55d29f393f20ddf11d3c9b30d49944c9265c1f188775f5af3c356d1c137800839

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
3.3MB

MD5
8ddcfdcec8f9c1e0417690d7505505b3

SHA1
1be66ff3521176d34f605122a618a2f080dcd0d7

SHA256
b8f248d541f4e7384a83d7a64168e50000c259f3f327a8b3d8b8a7690df4d098

SHA512
7f22d79e587b8e2d08e9e8b9e1f1186f2b7393865e93280e88fcfd648d5ff8c1dba371f6d1ef847988dbc35e899888da0855534555b6882a9e00c2dc3948badc

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\duba_1_244.exe

Filesize
3.9MB

MD5
773a28d2569dfc93538d566632ad75d2

SHA1
bf5436f65fa31884e3ecef8cbda174da51a84cb9

SHA256
14076449a221e7f81a750058185ef4ad2a638b6f5afe3c8a4d7d9c787cdfe0bd

SHA512
27e3c4ad70a57f4675f685f62feaeb86fe0f39b219ec9f9675f7fd1918d2ad939dfc4cf5b70e7f9f41c07d08e8422a83bef0796c10917ceea9d3c4d630cb9128

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe

Filesize
489KB

MD5
4803bd061651c642a3425e474cf7c7bf

SHA1
d70866dce3f296fb5bef6bcde13c356b0f8a7dc4

SHA256
7031bbb4bf7af95a180e62161897bf265c49b6cbe39907e5166ba4959b079a92

SHA512
a33a649bedf27cda725c00871d4ebfcd74128c8dfaf5f07e07eb110df94f5dede347ba7dbbdf60ca1b106cfbc8b757a4620ef2ef04035c40742a316cdd86971b

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe

Filesize
489KB

MD5
4803bd061651c642a3425e474cf7c7bf

SHA1
d70866dce3f296fb5bef6bcde13c356b0f8a7dc4

SHA256
7031bbb4bf7af95a180e62161897bf265c49b6cbe39907e5166ba4959b079a92

SHA512
a33a649bedf27cda725c00871d4ebfcd74128c8dfaf5f07e07eb110df94f5dede347ba7dbbdf60ca1b106cfbc8b757a4620ef2ef04035c40742a316cdd86971b

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\install1968982.exe

Filesize
489KB

MD5
4803bd061651c642a3425e474cf7c7bf

SHA1
d70866dce3f296fb5bef6bcde13c356b0f8a7dc4

SHA256
7031bbb4bf7af95a180e62161897bf265c49b6cbe39907e5166ba4959b079a92

SHA512
a33a649bedf27cda725c00871d4ebfcd74128c8dfaf5f07e07eb110df94f5dede347ba7dbbdf60ca1b106cfbc8b757a4620ef2ef04035c40742a316cdd86971b

Download Submit
memory/1456-71-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-55-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1456-58-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1456-57-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1456-54-0x0000000075981000-0x0000000075983000-memory.dmp

Filesize
8KB

Download
memory/1456-56-0x0000000000020000-0x0000000000034000-memory.dmp

Filesize
80KB

Download
memory/1624-77-0x0000000000240000-0x000000000035E000-memory.dmp

Filesize
1.1MB

Download
memory/1624-83-0x0000000000400000-0x000000000051E000-memory.dmp

Filesize
1.1MB

Download
memory/1624-84-0x0000000000240000-0x000000000035E000-memory.dmp

Filesize
1.1MB

Download
memory/1820-79-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/1820-81-0x0000000000DC0000-0x0000000000FC0000-memory.dmp

Filesize
2.0MB

Download
memory/1820-82-0x0000000000DC0000-0x0000000000FC0000-memory.dmp

Filesize
2.0MB

Download