joker | e1d12953bb1adc4ad04ded99f833935f60785f510cf87587cdc860866d8da593 | Triage

Resubmissions

12-12-2022 10:57

221212-m18xradh5t 10

Analysis

max time kernel
96801s
max time network
130s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
12-12-2022 10:57

Sharing

Report Analysis Logs

General

Target

Paint Art.apk
Size

3.5MB
MD5

16a4cbdb16994f328003f63a8b16a1ab
SHA1

87b027fa2a3bf188d5945720bc16dc1f9469cf77
SHA256

e1d12953bb1adc4ad04ded99f833935f60785f510cf87587cdc860866d8da593
SHA512

09eaf20e4b27f012a2458fcd875db02eff6d500b9ef2d9c1a0b073591cef6d86f4a5e648e0dedc29c64b11d6a846cf27806972c0438f5eeba44e52c9b19b010f
SSDEEP

98304:QrSSze0+HVciXp0wxsPgdsuGnRCCO+8Lz31JuhVEraCZRgqk:USSi0wciXp0w2JxRe+8H31QjO1k

Score

10^/10

joker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

joker

C2

http://thoroughly.oss-ap-southeast-5.aliyuncs.com/artpainting

Grant permission to use all features

https://cxjus.oss-ap-southeast-1.aliyuncs.com/af2

https://cxjus.oss-ap-southeast-1.aliyuncs.com/fbhx

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
Anonymous-DexFile@0xe5575000-0xe557664c	4089	com.nuklis.artpainting
/data/user/0/com.nuklis.artpainting/files/vitality	4089	com.nuklis.artpainting
/data/user/0/com.nuklis.artpainting/files/ionsxg	4089	com.nuklis.artpainting

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Reads information about phone network operator.

Removes a system notification. 1 IoCs

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.nuklis.artpainting

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.nuklis.artpainting

com.nuklis.artpainting
1⤵
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4089

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nuklis.artpainting/app_webview/Cookies

Filesize
64KB

MD5
cb7543c4df600f2af58097cce0e334ba

SHA1
83cc92f38c27fdb4fa519b1ce2f37912f24af1f0

SHA256
64c022ae708f94ffde986e105d88f708884de325720bfb9925c4160a6d417233

SHA512
ad51cad0472327bd68aa2d791341cfafed58971752352537bb603ed18b15a3f9185e9150983a28ecd09606e8dcaef6d1c9d93213dd246ef7720f39842eb3d980

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Cookies-journal

Filesize
1KB

MD5
c5782fec95604f3ca9bc39d63e35d5ef

SHA1
183413a886fd2c103cddc5bdd32a4e54519edada

SHA256
edcb504d720dcdd61db8701032df65a0034542debf3a03b9a1524c381a8d5416

SHA512
0ee5eda7a009757239b4daf51a6c5218a62e8920822b2aa943b33fe29df6afe8a96aa43c48cd540143b1cd0916ddad58f9498b420ff7d232d4d98702dab1e6ae

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Web Data-journal

Filesize
1KB

MD5
d1a4d53e959a13dd7da398a56cad7372

SHA1
0d7a939c8df4b48833a5be9362dccc295404065e

SHA256
be9241929c894455d6d1bf2df557d2990cae46c386e984ee16e70032f251fea6

SHA512
214a0702482f6f55779f766135c28cd467716a65269c99328fc6b922138b18065ef30f3dc324b1ecef7de5d1c00ff316c3184692b8b5fe67bced95a7e16bec72

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/metrics_guid

Filesize
36B

MD5
72d04826f5905711e7a1257ebc6ebe5c

SHA1
dc362a07c6a009b0516252bc8b4ec303111dfe5f

SHA256
11896270b5af1af32dd0dece2bd6d2570f4c5512824db4dec4bfe027b44454bb

SHA512
59cc83a5f65a39af4e9ea6918752dde99b189d45f0ff217c47682b2f38f911ecc23daceae023d528ce1dae4ca8b0686de5ebb2e434052bca99fb4eb4e4416dbc

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB

Filesize
32KB

MD5
c2dbe60d92a4c841ffc4c9f9b6131aec

SHA1
50483e82d68e37d054d3c7ccdf812afeb6626f25

SHA256
23f8db729e1b9a205e42e197a37b7255d62492e3642e00476ef77c135d57b3b8

SHA512
4f1a9efae44fb658075e5d4ad41642e118562405248c2f5416bdcbf0f9e5f497d08263402b67186dff6e43550e9e9ab61ccaadbbce28c242197f6e2f5d7544fa

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-journal

Filesize
524B

MD5
79042c931a09ad3ffb523c805f7a6b46

SHA1
3becc9a951fc92465171ba4be829c544527bb5e4

SHA256
18e4e9c34cc39069cd7af999453dddf679766c854081bbce4efc0d79c88c16b7

SHA512
b9e65fce3f177dbd668eedaee95e449d6a8e9f4f87e007ea82ce782497578ac4ce711cc7dd304f390e9af6ab93be4e7eae3536c471e6f1aadd142e122e2851f1

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-wal

Filesize
40KB

MD5
9f682d652729beb7dd610e75270af769

SHA1
562834fc36de5ed61cb7f79816edd9d9e63be636

SHA256
141e5036c690c6cab666eb43ec79c2721ac06e62e926ab60b45834f5d051bce3

SHA512
20d05811f7a431a475e17b718621ff00a824630fc6ae95a0ed7cbaaa00ba15182d05604aa8ca7a1a7f1e356bbc4bf46b5ebe1514b2f7727796bbb7d4dc4b906b

Download Submit
/data/user/0/com.nuklis.artpainting/files/ionsxg

Filesize
22KB

MD5
0d4e0388ddad6dfab2e1d43c0c339ad0

SHA1
a097d295281c4796030ad3a8d6a24cefc8ac53b3

SHA256
409633ccb7463620e5f774ed0b466839f5aaa8f8005082af67bb7bbfbbf1a8b0

SHA512
381e7b5b19ff133c96550e860e66e5d61ee75bf73be268d7eeffdd5200b59e293ac979a07a303eb3d2e9b4f6b20acdb0335398f0b13c4c64a48b184c8e273d3a

Download Submit
/data/user/0/com.nuklis.artpainting/files/ionsxg

Filesize
46KB

MD5
25b621b14e9bdb8d3009a25ac15b2997

SHA1
fab787ef17d4b1fd8ba506ac433c90933685972b

SHA256
d1491805efe37e08dd402d82d7e03b74c27dd21b00963aaebf1eba373d803b56

SHA512
be560e695ca2b63672381b47738c5ce9963ca1b2ad3ad42c723e464d0f48ed6d67fb1b98197f597219e8272ba0c67a7d375ee05ef7d34f665dc4d3da58b69355

Download Submit
/data/user/0/com.nuklis.artpainting/files/temp/layer_1_1670839040976.png

Filesize
831B

MD5
aae4d28956b6b420bb7b24002b22b494

SHA1
b276ae47f151a3724340f0508176c35308812aec

SHA256
ee2355504e7096f63c4607e59a9081be9ab6ee55dbe4cda997e6ad128160df11

SHA512
ad222e81e4ecc53b1ba432237367316be04ec032902161fdf2f1c4659b16efdfccfb836a306006f124af2cd4d7de0eefa49c2f65534cda04e23e83f527957a65

Download Submit
/data/user/0/com.nuklis.artpainting/files/vitality

Filesize
9KB

MD5
3c30eb296bb5eadfda95ebaa84ad9b5a

SHA1
210affe08e642caad98f5b53c3e14ee52c34dcdc

SHA256
7046320162f6db8670145a648c08e3c94ddb7064cf4204f7531eaca627404e27

SHA512
120672861673362f1474af120001d1e2fb46c7db872e27706e1835fa584f49513d5c970b0618b0eaecd27869fd937267b030881c5e5a0e866db327e9d27f42cd

Download Submit
/data/user/0/com.nuklis.artpainting/files/vitality

Filesize
15KB

MD5
f2e4732bba985887330fac436cb3496c

SHA1
731562c0252a55ab141ec86335f502decf6a7d88

SHA256
d89523eb3b0c6e611b1e041792265e8f67b921d58032ee81afe262d8b99a07ca

SHA512
024ac60af79d633bac8d10ef2797e9cfa510602f58f9482920b9dc58c8a5f464d9509b4e5e587f39784fc440c903eaae05aaefe214832055cad889754d043b79

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-journal

Filesize
524B

MD5
1bf44591f8024bf4f9763e3dc9553cd7

SHA1
cd622f88c292e0b0b56af56d0d1e2a0902d08602

SHA256
308a0811fe5d304c6bdfcb723fc37d8e4aa7f2043e14e69cfe3f96383ce7bc0f

SHA512
9cc654c347e425848be82efa68b52ad11a80b8c93474430e05f2ad93db8f874e4ce38d7b00cf5b13b3e6194d46717724be771d7359f1ae63fb829f92886e4145

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
1bf872475524ce57dc329b8e213a0d2d

SHA1
bf2d752afa7ba72b4109f9a1eae9b659dc5a30cc

SHA256
15cf84ec756077265b9f9ccdb412a970919689886228e9928b8b61c9440f9c67

SHA512
69854d888a9bb8d3b9523debe952cf29186f604a22d50e261aeab778cd0687effd87bb640a2276f09b6ece4c980e1b2bd479fcd005af851886fb3e5c7e326966

Download Submit
/data/user/0/com.nuklis.artpainting/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/storage/emulated/0/Android/data/com.nuklis.artpainting/files/-1451633082

Filesize
75KB

MD5
65022f400beed4ca6d9477b5c77cdbf4

SHA1
9b991d7fcbf513dfffdf99a86327fd6c7a096dba

SHA256
846a4698d1b9c78debd575539795492f4a90660840b7e7391ae24c1a1398ba5b

SHA512
4037a5d7b6b23c5a458e29edb53134c68ba68950eeec51a5ecdcee9111f0403c8c1b56831717e3f84cd5104098b7ab04f8362365c0ab8077e80329c01dde05a9

Download Submit
/storage/emulated/0/Android/data/com.nuklis.artpainting/files/1463903199

Filesize
5KB

MD5
cf11925fbd5e7de3cc30bff793d2d362

SHA1
2f10f00a4914ecb9ef31842f4a22041948570aab

SHA256
13afafb20e8cdc06b1b747665e024bce9fd3efdf9a5debb7a853b61ef4bf540a

SHA512
6737dbe5a2f5c72f7d4fab9c04dc52756b917303cd909aa20be9cdd268c8d08187f5a2b7eaebf8f6af1024617c15821d90fbef927bf980eb6acf7e62713a2f60

Download Submit
Anonymous-DexFile@0xe5575000-0xe557664c

Filesize
5KB

MD5
cf11925fbd5e7de3cc30bff793d2d362

SHA1
2f10f00a4914ecb9ef31842f4a22041948570aab

SHA256
13afafb20e8cdc06b1b747665e024bce9fd3efdf9a5debb7a853b61ef4bf540a

SHA512
6737dbe5a2f5c72f7d4fab9c04dc52756b917303cd909aa20be9cdd268c8d08187f5a2b7eaebf8f6af1024617c15821d90fbef927bf980eb6acf7e62713a2f60

Download Submit