joker | 0f41adb9d470c2450c2987c1c6b3a2ddcf8bcc47fad7a54ee4ec064afd0b8a3e

Analysis

max time kernel
104101s
max time network
131s
platform
android_x86
resource
android-x86-arm-20220823-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20220823-enlocale:en-usos:android-9-x86system
submitted
12-12-2022 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Paint Art_1.3.apk
Size

4.1MB
MD5

36af3b813438470a0dc1c890360e3c6a
SHA1

c8cb5654e1bb031bc337d3501ffce2ad7fd0a437
SHA256

0f41adb9d470c2450c2987c1c6b3a2ddcf8bcc47fad7a54ee4ec064afd0b8a3e
SHA512

f0a0b9e05759f71dade7e81639f705462b81bb01d709d47a48691bb837536a959677ba5a82d7b8c9634d6d256f5d1da1d5a85c47f60f35b5219245a08c647a3d
SSDEEP

98304:PrSSze0+HVciXp0wxsPgdsuGnRCCO+8Lz31JqhVEgaCZtzT:TSSi0wciXp0w2JxRe+8H31ojFJX

Score

10^/10

joker evasion infostealer ransomware trojan

Malware Config

Extracted

Family

joker

http://thoroughly.oss-ap-southeast-5.aliyuncs.com/artpainting

Grant permission to use all features

https://cxjus.oss-ap-southeast-1.aliyuncs.com/af2

https://cxjus.oss-ap-southeast-1.aliyuncs.com/fbhx

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Loads dropped Dex/Jar 3 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
Anonymous-DexFile@0xdf602000-0xdf60364c	4096	com.nuklis.artpainting
/data/user/0/com.nuklis.artpainting/files/vitality	4096	com.nuklis.artpainting
/data/user/0/com.nuklis.artpainting/files/ionsxg	4096	com.nuklis.artpainting

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Reads information about phone network operator.

Removes a system notification. 1 IoCs

evasion

description	ioc	Process
Framework service call	android.app.INotificationManager.cancelNotificationWithTag	com.nuklis.artpainting

Uses Crypto APIs (Might try to encrypt user data). 1 IoCs

ransomware

description	ioc	Process
Framework API call	javax.crypto.Cipher.doFinal	com.nuklis.artpainting

com.nuklis.artpainting
1⤵
- Loads dropped Dex/Jar
- Removes a system notification.
- Uses Crypto APIs (Might try to encrypt user data).
PID:4096

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/data/user/0/com.nuklis.artpainting/app_webview/Cookies

Filesize
64KB

MD5
cb7543c4df600f2af58097cce0e334ba

SHA1
83cc92f38c27fdb4fa519b1ce2f37912f24af1f0

SHA256
64c022ae708f94ffde986e105d88f708884de325720bfb9925c4160a6d417233

SHA512
ad51cad0472327bd68aa2d791341cfafed58971752352537bb603ed18b15a3f9185e9150983a28ecd09606e8dcaef6d1c9d93213dd246ef7720f39842eb3d980

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Cookies-journal

Filesize
1KB

MD5
2e9383a304aebe7e4ff32b4a3dc82640

SHA1
cd15a4dc867a45c3675c6b1e615aabe748f71fb5

SHA256
5b98a53d8fe0d441508a94b0520abde5977d54c964e1841c06c48e6ad3c74617

SHA512
9a0d1f6be07d22abb457bd6bb56f68bd21920f1b44bc9149adb325402a2675ca78b9bf8fbc25c5ac0f06f3eeafe2e730530d61d3813944463cd4a8833cb86cdb

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Web Data

Filesize
104KB

MD5
dc79f9ce5f3ab5270b33e61119dfc959

SHA1
1844bf222a5144b513dcf2fb50a18c011701c647

SHA256
47e65f4de08deabfd52ecdb8b0a29c61c482188b92c36182e2112ca0a8f4ff65

SHA512
18b8894a7f35df516f423bbdebf1e05ce09eaf4345b139e59e603cadb81f8d1fa20f793438c28e8fd9a64e64f0684223d90ce6f10d3f93cb0c781049a8cff03e

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/Web Data-journal

Filesize
1KB

MD5
29b758a6db92762ef4f992414750dfb5

SHA1
d27f9937a5b648299a9ac515fa82e8b41f5e5e31

SHA256
ceb1d9665e3cd89cfd17297f02e16de5f1a08fd6be5b704339c1f2ac0bc7591f

SHA512
7b4f90bb19631c4b96a1f181ff07ef2bbdbc2de99eeecdf08e8b581e5c586696449b8149332813774b1621fa5eb40f474aa88882edac14836035952c0a14f4ef

Download Submit
/data/user/0/com.nuklis.artpainting/app_webview/metrics_guid

Filesize
36B

MD5
ed4a804b1970edf8c59054173f25922f

SHA1
102fd0ee871ee3f0b2f9673f3245e712c18de383

SHA256
0c6097bf055c74c75b36d680c3c74992ed7ec80c2687a2d48d87c04bf0a6743b

SHA512
e5a00d137eb2ea9c9521939c82b977c2f221c053fba777604a9cbdfa80b5e24f978c3c004e9df7df05c5e81a43cefb81cb0c732eb7945c2f933923147b89ea6c

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB

Filesize
32KB

MD5
c2dbe60d92a4c841ffc4c9f9b6131aec

SHA1
50483e82d68e37d054d3c7ccdf812afeb6626f25

SHA256
23f8db729e1b9a205e42e197a37b7255d62492e3642e00476ef77c135d57b3b8

SHA512
4f1a9efae44fb658075e5d4ad41642e118562405248c2f5416bdcbf0f9e5f497d08263402b67186dff6e43550e9e9ab61ccaadbbce28c242197f6e2f5d7544fa

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-journal

Filesize
524B

MD5
604708b28af13327ed4656c70c399979

SHA1
9c017d69f3159d2cd142bf0a4a1a7928ebbb44ea

SHA256
3dd1e68eff53febd28107b991a55665e996a8ff88f40f8c767754b20f2faa8ad

SHA512
9ae3b801d1134e46e890d62cda5ef49173152f3eba60cdaab88746397f8151489b4623e1fd23f9ee9b09d2cdaa3879affc7bb02891673ab24379317a42fd1f3f

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/databases/PAINT_ART.DB-wal

Filesize
40KB

MD5
8232af2cfb4e2a8d8471be3a5283c347

SHA1
765381b0ed7f120ca8f408602fef14ca6ac8464b

SHA256
9d9a62ea20b357f9bb85d3c56c034974149090dd8d2071570921dd3ce95e3e15

SHA512
e718f2d45b5747425c078ed6be37fbc88fce22b92cd7e8a6f609ae3a7e9100d1fc9f54c00bc7872b89f4ddb7ab30c8ba2efdae3b0a35458cd5f9840ef915ba20

Download Submit
/data/user/0/com.nuklis.artpainting/files/ionsxg

Filesize
22KB

MD5
0d4e0388ddad6dfab2e1d43c0c339ad0

SHA1
a097d295281c4796030ad3a8d6a24cefc8ac53b3

SHA256
409633ccb7463620e5f774ed0b466839f5aaa8f8005082af67bb7bbfbbf1a8b0

SHA512
381e7b5b19ff133c96550e860e66e5d61ee75bf73be268d7eeffdd5200b59e293ac979a07a303eb3d2e9b4f6b20acdb0335398f0b13c4c64a48b184c8e273d3a

Download Submit
/data/user/0/com.nuklis.artpainting/files/ionsxg

Filesize
46KB

MD5
25b621b14e9bdb8d3009a25ac15b2997

SHA1
fab787ef17d4b1fd8ba506ac433c90933685972b

SHA256
d1491805efe37e08dd402d82d7e03b74c27dd21b00963aaebf1eba373d803b56

SHA512
be560e695ca2b63672381b47738c5ce9963ca1b2ad3ad42c723e464d0f48ed6d67fb1b98197f597219e8272ba0c67a7d375ee05ef7d34f665dc4d3da58b69355

Download Submit
/data/user/0/com.nuklis.artpainting/files/temp/layer_1_1670846340151.png

Filesize
831B

MD5
aae4d28956b6b420bb7b24002b22b494

SHA1
b276ae47f151a3724340f0508176c35308812aec

SHA256
ee2355504e7096f63c4607e59a9081be9ab6ee55dbe4cda997e6ad128160df11

SHA512
ad222e81e4ecc53b1ba432237367316be04ec032902161fdf2f1c4659b16efdfccfb836a306006f124af2cd4d7de0eefa49c2f65534cda04e23e83f527957a65

Download Submit
/data/user/0/com.nuklis.artpainting/files/vitality

Filesize
9KB

MD5
3c30eb296bb5eadfda95ebaa84ad9b5a

SHA1
210affe08e642caad98f5b53c3e14ee52c34dcdc

SHA256
7046320162f6db8670145a648c08e3c94ddb7064cf4204f7531eaca627404e27

SHA512
120672861673362f1474af120001d1e2fb46c7db872e27706e1835fa584f49513d5c970b0618b0eaecd27869fd937267b030881c5e5a0e866db327e9d27f42cd

Download Submit
/data/user/0/com.nuklis.artpainting/files/vitality

Filesize
15KB

MD5
f2e4732bba985887330fac436cb3496c

SHA1
731562c0252a55ab141ec86335f502decf6a7d88

SHA256
d89523eb3b0c6e611b1e041792265e8f67b921d58032ee81afe262d8b99a07ca

SHA512
024ac60af79d633bac8d10ef2797e9cfa510602f58f9482920b9dc58c8a5f464d9509b4e5e587f39784fc440c903eaae05aaefe214832055cad889754d043b79

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb

Filesize
4KB

MD5
f2b4b0190b9f384ca885f0c8c9b14700

SHA1
934ff2646757b5b6e7f20f6a0aa76c7f995d9361

SHA256
0a8ffb6b327963558716e87db8946016d143e39f895fa1b43e95ba7032ce2514

SHA512
ec12685fc0d60526eed4d38820aad95611f3e93ae372be5a57142d8e8a1ba17e6e5dfe381a4e1365dddc0b363c9c40daaffdc1245bd515fddac69bf1abacd7f1

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-journal

Filesize
524B

MD5
7018e3ffe7bfb6734b5a39dc68850d9f

SHA1
ed22dbd718a267d4ebc26a46ad6936a83bd33afc

SHA256
9860d31b016474f8634d2ca24086d228ba762f7e44693ece17e0c3a848cae1b6

SHA512
ae77f8a480bfcc4fd67397d8b92ab6b5dddea9021acaec564dcd705f77d1bef8f7064ca0ce7170094e1c53b067caee6efb87a8d6751d37cb98d95d259be2d540

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-shm

Filesize
8B

MD5
7dea362b3fac8e00956a4952a3d4f474

SHA1
05fe405753166f125559e7c9ac558654f107c7e9

SHA256
af5570f5a1810b7af78caf4bc70a660f0df51e42baf91d4de5b2328de0e83dfc

SHA512
1b7409ccf0d5a34d3a77eaabfa9fe27427655be9297127ee9522aa1bf4046d4f945983678169cb1a7348edcac47ef0d9e2c924130e5bcc5f0d94937852c42f1b

Download Submit
/data/user/0/com.nuklis.artpainting/no_backup/androidx.work.workdb-wal

Filesize
108KB

MD5
d7e969c0ff1ec136c197ad1de6f5a770

SHA1
a974dd2ed4a98e5e1d1e586307d9643517894caa

SHA256
579b431a4b35f20a02a82c80e16afb17b4d00c1522e7c19b817cf0643205409c

SHA512
5117a34e76b5259574bf6b41af61dc79d341cbbb4f77945e819ddef1c56a8972ae6f4e5f0b841388a9f096bc97c01ad7aa40fd2459a11273cde5b81d2f8d42f2

Download Submit
/data/user/0/com.nuklis.artpainting/shared_prefs/WebViewChromiumPrefs.xml

Filesize
127B

MD5
21223e9184445fe043476484cd8cb1f9

SHA1
2b4813f849121d60ba35eb0889080668bb62c778

SHA256
bb61b7c087c2ae2de93a7740ff75707342940557146366e92b840284cd9446af

SHA512
be21408de0cc643650e5d9ab9057a8f9de88e37fbdc6417cfeba160402ec4cd14fccbc82cbbfd941ecfc0bb3d4056ee61ac199efdc99d647d53e65818835fd48

Download Submit
/storage/emulated/0/Android/data/com.nuklis.artpainting/files/-1451633082

Filesize
75KB

MD5
1c7add55eb9b99a20d4d31dd5fb305a8

SHA1
8fcaf12dce716eeaa50d150735b810ea1ee627b8

SHA256
6a3f734a3ba7a07647793f48d8e8d6981e2caddab5aa2994f6f3dd3d091ae529

SHA512
dae293e87d3fe74384af8384bab57aff80e76e9cbdeeda0ee2d1dab3a2d3802da657f5d7b7548ec1b61818f3ff2adfcdb27a0626b7082c61cef5bf4a3e6bb9ae

Download Submit
/storage/emulated/0/Android/data/com.nuklis.artpainting/files/1463903199

Filesize
5KB

MD5
cf11925fbd5e7de3cc30bff793d2d362

SHA1
2f10f00a4914ecb9ef31842f4a22041948570aab

SHA256
13afafb20e8cdc06b1b747665e024bce9fd3efdf9a5debb7a853b61ef4bf540a

SHA512
6737dbe5a2f5c72f7d4fab9c04dc52756b917303cd909aa20be9cdd268c8d08187f5a2b7eaebf8f6af1024617c15821d90fbef927bf980eb6acf7e62713a2f60

Download Submit
Anonymous-DexFile@0xdf602000-0xdf60364c

Filesize
5KB

MD5
cf11925fbd5e7de3cc30bff793d2d362

SHA1
2f10f00a4914ecb9ef31842f4a22041948570aab

SHA256
13afafb20e8cdc06b1b747665e024bce9fd3efdf9a5debb7a853b61ef4bf540a

SHA512
6737dbe5a2f5c72f7d4fab9c04dc52756b917303cd909aa20be9cdd268c8d08187f5a2b7eaebf8f6af1024617c15821d90fbef927bf980eb6acf7e62713a2f60

Download Submit