joker | 5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b

General

Target

5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe
Size

32KB
MD5

0387eb52d9a0ba82e69b623d14425550
SHA1

a20fa675abe285070999b9830decf78b81a3896e
SHA256

5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b
SHA512

e62309af8828648883a37abaa22828c253c90fb2ad4e0d8d86e2021e648cf070b27905c53a9e12d3e8511581bd9dcd7e742f4bb0277572743eb3bfbb0895b8fd
SSDEEP

768:ryHus/t/jPMUY96cPvc0xJGKJxsLoI/CYR/9m:rm7/1T46Gc0xJwdL

Score

10^/10

joker bootkit infostealer persistence trojan

Malware Config

Extracted

Family

joker

C2

http://tttie.oss-cn-shenzhen.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker
Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
1888	kinst_1_335.exe

Deletes itself 1 IoCs

pid	Process
1912	cmd.exe

Loads dropped DLL 4 IoCs

pid	Process
108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe
1888	kinst_1_335.exe
1888	kinst_1_335.exe
1888	kinst_1_335.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	kinst_1_335.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\open.ini	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
1572	taskkill.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories	kinst_1_335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\guid = "8FCCDC5F11A04D39AB81A5198123280E"	kinst_1_335.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}\did = "8A096E92BC88E6A615BD82DDBBC214FB"	kinst_1_335.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79B5BC47-CEA1-4772-B433-7D1B3139F278}\Implemented Categories\{607568DD-B059-434b-B7E7-38EC51998F8E}	kinst_1_335.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	taskkill.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1888	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	30
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 108 wrote to memory of 1912	108	5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe	31
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34
PID 1912 wrote to memory of 1572	1912	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe
"C:\Users\Admin\AppData\Local\Temp\5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:108
- C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe
  "C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Modifies registry class
  PID:1888
- C:\Windows\SysWOW64\cmd.exe
  cmd /c C:\Users\Admin\AppData\Local\Temp\5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe.bat
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM 5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1572

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\5a75fa55211464cb6938bcc10ef921422b81d3fa1e864897bc15dcd96ab57e1b.exe.bat

Filesize
330B

MD5
a67ae4f82ac4d0d63c9c164268cfbfbe

SHA1
8386b52a908594269fd11e399c003dc9601e3f75

SHA256
cd3e1175f7d9379b6796a706561525bca67a384d06eccb42c12598ac29479ce8

SHA512
75752c083c88074a03f2472f4442dfba4a35e5067d979e72897f088ec9bcab762f52ec91177fb4df1d9b2b7b82d5f082184f3f192efbde0d612fc583ea73afd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
C:\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
\Users\Admin\AppData\Local\Temp\sbnimb.tmp\dtstop.tmp\kinst_1_335.exe

Filesize
1.1MB

MD5
3035693137f153ef3e1213a945d33e00

SHA1
175f680ed04a381663a594189750b450a1f86229

SHA256
646be34566c6b635f9d32fdd54ae7824255a363de2a12d084a1797c3c43ad3a1

SHA512
802553d8bd67880efb346ca188b5e7b17d95feafe65018b1d87d372d146c5bbf417040493c527bad1fcbe32c62b6639b00220340226c1cae1ed6640cf94f155c

Download Submit
memory/108-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/108-63-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/108-54-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download
memory/108-56-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download
memory/108-57-0x0000000000020000-0x0000000000033000-memory.dmp

Filesize
76KB

Download

Analysis

Sharing