joker | a91e822957d66f26016249dc598f6868c8a803ef029f233fef88ff3f30f462ab

Analysis

max time kernel
1981566s
max time network
323s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
14-11-2022 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

com.autoprivate.gallylocker.apk
Size

2.0MB
MD5

d2af80a36bdbb5fb11adaf030ada0f36
SHA1

58bf8a0d23fe7c6f184ce7f88ad09f0d169e501f
SHA256

25922e86d546a5027c19d0e06bf6203cdf9f1f10d69a944f4225cbfe9f258627
SHA512

c1864d11709750896de80098ba368644585922c90547733038168440538377d71d54b18a2921cb36e11ffb0feb137016abd21cd9e0e84d466505942a69ba3895
SSDEEP

49152:XuKcHIIdnVifRWaxFIb9gU0KxiXoS2CPwb2mr547A:enIEnViLxa9x0vXgC4b2mr547A

Score

10^/10

joker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

joker

http://oneslife.oss-ap-southeast-1.aliyuncs.com

https://cxjus.oss-accelerate.aliyuncs.com

https://cxjus.oss-ap-southeast-1.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
Anonymous-DexFile@0xe686e000-0xe686f448	4141	com.autoprivate.gallylocker
/data/user/0/com.autoprivate.gallylocker/files/throughout	4141	com.autoprivate.gallylocker
/data/user/0/com.autoprivate.gallylocker/files/Yang	4141	com.autoprivate.gallylocker

Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.autoprivate.gallylocker

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.autoprivate.gallylocker

com.autoprivate.gallylocker
1⤵
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4141

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.autoprivate.gallylocker/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.autoprivate.gallylocker/app_webview/Web Data-journal

Filesize
1KB

MD5
4867917baa23eba045025d73fbdee1c2

SHA1
272838ff741d8ca65a15b4f4a91461d60c4f38c7

SHA256
358d7d31a85ccdfd524327f3f12bd1d9397c91c6654533b1e2856717e341b28c

SHA512
4f2ca199abf6fb52ac3a02f33fbb3db8c932d6bd0f67e8dacb1d05fe9c9cc7022a909167746a9ab14344a1be9dc698b16d2fef3290ff06a5f5f76ae5bb01180a

Download Submit
/data/user/0/com.autoprivate.gallylocker/app_webview/metrics_guid

Filesize
36B

MD5
478627635693a4a4d8599fb76a3305d2

SHA1
2ecf4e1793aecdded30c7be124f32656b90c542f

SHA256
a36ce6c9ed98d0e831d3ac46f0c1e07331c387734601b04fb3db54e96cf4ebbc

SHA512
7bfe9004689cfcf6cf9b8e9fecf5867807aae3fa8171aa533a522efa2019dfe525a58f722b3d472e13b9e5406d589a561580823cd63999c4865ef5447dd6f294

Download Submit
/data/user/0/com.autoprivate.gallylocker/files/Yang

Filesize
21KB

MD5
fa2c67612f4e19821c422c0b7b9ca6a5

SHA1
12c53f6fc22f19b9c2f5898deff70b09eb7a956d

SHA256
9198db5725264997ce4ab0f180adf73eba7c859a20dfe29f836ce5f79704a8b4

SHA512
20c81925da395f57134f52ab2551f174489a45a41888074ed7347eac0cfa6fcd72d38f2f22dd14aa14ff76748d03fa23311e26ce234bad0e3c8eb50d5a4270d0

Download Submit
/data/user/0/com.autoprivate.gallylocker/files/Yang

Filesize
42KB

MD5
cf9b80c63f5e26173dd0ed8183c1f5b8

SHA1
ed819bfd1f0b902ba280c043c866e9d7a7a276b9

SHA256
6058616f4018268752d386f22ba8740a1ae6e08caf41fc3ecd623a4a95bdf553

SHA512
09e3d24f8d39e897163208c0cb8c2571c9dff110290e4051c716e14f60452a46a488d0b62f39953ede603cc9827068f5f8340260624f068189f6f969a1f0b912

Download Submit
/data/user/0/com.autoprivate.gallylocker/files/throughout

Filesize
5KB

MD5
e9535f02bdc0a5866a44402d04b19daf

SHA1
1c1bb8c049a544851e0412c89375c112ba1d5a1f

SHA256
583dee93df9313925f812c46fed402e0e944ec9830ee017d13a102120f685933

SHA512
e1007024029572a907fb56b3330de10878ce61a437c42356f301e5a47cb57d82064cc0f7b6a5ca702702d1b86d84bbe6b420fc6b6076eddb244ba0692da2f3c3

Download Submit
/data/user/0/com.autoprivate.gallylocker/files/throughout

Filesize
9KB

MD5
71309d8ea170825c7077c96d80c0982b

SHA1
65ce7cd71cf09373a8c241a0b9e661a3436e9cb0

SHA256
07ce03668b5f08bf5ca8615e04acd7031222fc1a8d406bde015cd85d8e696f47

SHA512
13a3da671c2f0a268b31acca207d5d9d0b0ea219c08b6ba26527b3035e4ad40592db9217b06bf079f7b5457bf92727ab93a49da43e1fdcdbf02ba8f9460db905

Download Submit
/data/user/0/com.autoprivate.gallylocker/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/data/user/0/com.autoprivate.gallylocker/shared_prefs/com.autoprivate.gallylocker_preferences.xml

Filesize
110B

MD5
25c15f9de625c28e23487a01399abb5d

SHA1
77dc15a5aaf6c7aa772aa1f99008c159bddde244

SHA256
c09e43856d9c47b2ba76794f0aa55496a93caa019807ca60a53d7845d3b8ac9a

SHA512
2425a6408ec54c1c045cc99be5937f09cbf43a623e44e3cdfe74b86f9125e1fb4e0f8a4dda4d1acdf974589025e6072ae73b76e9adc69d72f43bb2da94d40798

Download Submit
Anonymous-DexFile@0xe686e000-0xe686f448

Filesize
5KB

MD5
7a91d293676ebb2cbdda312a14c07b51

SHA1
5b79127003c7cbc09c07834fea83b8c9d44a79b5

SHA256
7f47a5252de31848d4bfa3aec48d8111e332b7351bb6f57919859cc9f0308303

SHA512
6ccb13d7f8cf7e3c4aae4fce0f2fd6c7acb94d2eff624ab9e314c13100d2a7b9572a733c5423cf79b889dbb3ba88f8d008c8de36d7ddd77b090219b976a981d2

Download Submit