joker | 724e412f02185c8721fea47187d07cfeac03a42b2e1d776f8fc7eccb5143289f

Analysis

max time kernel
2275596s
max time network
134s
platform
android_x86
resource
android-x86-arm-20231215-en
resource tags

androidarch:armarch:x86image:android-x86-arm-20231215-enlocale:en-usos:android-9-x86system
submitted
20-12-2023 00:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

724e412f02185c8721fea47187d07cfeac03a42b2e1d776f8fc7eccb5143289f.apk
Size

6.4MB
MD5

1325ddc84a95033801f4043f260c8313
SHA1

9a63bec8f4602933b284729563249afb90eb0391
SHA256

724e412f02185c8721fea47187d07cfeac03a42b2e1d776f8fc7eccb5143289f
SHA512

a0aa271960cd3ad23eb7cc5fdd27d02b45f78ee2a7b58fa8380b3cb846c8c521b49c3852dc31e42d009b1ae35f8a186ed2e85cac2825527ff9fc7d9634b7aef9
SSDEEP

98304:0fArAqo/RtzwUsYSuBmy0d7DGZgoRimxf4jxH29LHZ4zLEcmuaHbTdDXy:0fAr1/uB7kaZHRdf4jY9L54zAcmJbTZy

Score

10^/10

joker evasion infostealer trojan

Malware Config

Extracted

Family

joker

https://homeward.oss-me-east-1.aliyuncs.com/nameplate

https://xjuys.oss-accelerate.aliyuncs.com/xjuys

http://139.177.180.78/hell

https://beside.oss-eu-west-1.aliyuncs.com/af2

https://xjuys.oss-accelerate.aliyuncs.com/fbhx

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Checks Android system properties for emulator presence. 1 IoCs

description	ioc	Process
Accessed system property	key: ro.product.model	com.pdfview.reader.pdfscann

Loads dropped Dex/Jar 6 IoCs

Runs executable file dropped to the device during analysis.

ioc	pid	Process
/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex	4250	com.pdfview.reader.pdfscann
/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex	4297	/system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex --output-vdex-fd=66 --oat-fd=67 --oat-location=/data/user/0/com.pdfview.reader.pdfscann/files/oat/x86/audience_network.odex --compiler-filter=quicken --class-loader-context=&
/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex	4250	com.pdfview.reader.pdfscann
/data/user/0/com.pdfview.reader.pdfscann/files/saudys	4250	com.pdfview.reader.pdfscann
/data/user/0/com.pdfview.reader.pdfscann/files/journey	4250	com.pdfview.reader.pdfscann
/data/user/0/com.pdfview.reader.pdfscann/files/Yang	4250	com.pdfview.reader.pdfscann

Listens for changes in the sensor environment (might be used to detect emulation) 1 IoCs

evasion

description	ioc	Process
Framework API call	android.hardware.SensorManager.registerListener	com.pdfview.reader.pdfscann

com.pdfview.reader.pdfscann
1⤵
- Checks Android system properties for emulator presence.
- Loads dropped Dex/Jar
- Listens for changes in the sensor environment (might be used to detect emulation)
PID:4250
- /system/bin/dex2oat --instruction-set=x86 --instruction-set-features=ssse3,-sse4.1,-sse4.2,-avx,-avx2,-popcnt --runtime-arg -Xhidden-api-checks --runtime-arg -Xrelocate --boot-image=/system/framework/boot.art --runtime-arg -Xms64m --runtime-arg -Xmx512m --instruction-set-variant=x86 --instruction-set-features=default --inline-max-code-units=0 --compact-dex-level=none --dex-file=/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex --output-vdex-fd=66 --oat-fd=67 --oat-location=/data/user/0/com.pdfview.reader.pdfscann/files/oat/x86/audience_network.odex --compiler-filter=quicken --class-loader-context=&
  2⤵
  - Loads dropped Dex/Jar
  PID:4297

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

/data/data/com.pdfview.reader.pdfscann/files/Yang

Filesize
25KB

MD5
31217fab7722f55e60245ac48a48560a

SHA1
a8f33b9cfbb3858eefa45eb9ec23edacaf83b972

SHA256
78bf941588cddb91fa62f11410c616c572508b341f505c704712faee0501a042

SHA512
7d5be7c756f70dbf085b3332ae59f01ffdf3697bbe83de702231a920ab9304ef0f1502cebf42c1264c31dfe26663c2e7e762b41061650f9812388af14cb4b2a5

Download Submit
/data/data/com.pdfview.reader.pdfscann/files/audience_network.dex

Filesize
129KB

MD5
028fd9a9e11e1767d27a693b2f0b373b

SHA1
eb78040f5a798cc012a9fc67708c6e81fd869c87

SHA256
875e6d291b1fd55ae10297efc2fa7a83014c33d0ca7b92c8add1868d1a33972d

SHA512
549839c5f732d9ecb23dbf8d54e21adcf1741b8eb790d822b1841da63cf8e99c8a12e7323a600a7f29e88d09b27723beee380efb6d2d92703cf28e1294b26a16

Download Submit
/data/data/com.pdfview.reader.pdfscann/files/journey

Filesize
6KB

MD5
9af052da1567a096350f9fc5d3629084

SHA1
2805050d51348f8584c0c5f95ea0aecb194632b0

SHA256
c83385b0370b18b75ced66aa0803b878deab447d97bf3d7dfd3f1ac9d88f4186

SHA512
31fb530718c7f0a79e6b19eaa9c5d6c19547ac8054f29231d5c963cc1c4b9d915a7c57a3a2caf30b33239817d066ccdd94bec857113b2a899773585e3cca3f39

Download Submit
/data/data/com.pdfview.reader.pdfscann/files/oat/audience_network.dex.cur.prof

Filesize
951B

MD5
83dab4dfc99da85e6435181444518dfc

SHA1
1179711d88fc4cd53cb3af83fdb9ec6c14e2b625

SHA256
842b5ce5e197c4282d2ae6d6f89af57acbf374b1cd60fbd340daba0dd23c2a36

SHA512
e29b8d5f25734642fe899d4b4e4d8dc70dd4333f434823149273aa04763b9fe6cc2d9a4bd75b842906d434b27e47da26272cc48de6bb5310af8004293e6809ed

Download Submit
/data/data/com.pdfview.reader.pdfscann/files/saudys

Filesize
3KB

MD5
43911fa1ce6a2a2ba7c45f36b6187faf

SHA1
4543ad7ed05726464af38d5f047ebaedcb0d5498

SHA256
b4e67aa7674c1a439ce27c2a706a7c8ab2a6c7a0fdbb752781acec0d5413d851

SHA512
d2ed6c04bc142672d2be8fe443e44990f5fa405e1a3b4496a9a3f09bee07fb2f40e0d70126965707d6934673f7ea9801c2a284482113b99c17127550aab96af3

Download Submit
/data/user/0/com.pdfview.reader.pdfscann/files/Yang

Filesize
59KB

MD5
6039552d12f80cadba4f5380d2a6956e

SHA1
f1d5e6526673b121b78f33dae74ce03e5c9ae75a

SHA256
64968aff752918e06ef849e623c6fc601cff69b28a5499891408a58f421b5e27

SHA512
55a7d9a0a421596ab16e66d0c490a224903954e7721bb28a43658f5e64695411021c0155a3ccbe11539ee24f02b0d1f72e1f42e1c7396a9f2ff9ed1da92c6d3c

Download Submit
/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex

Filesize
3.2MB

MD5
692c6b1b89702297c59bd34c4bd1fa53

SHA1
f38cac946f03d7e869018acbdfe0ed272e11b106

SHA256
920e465a87a2409fc8d7186ea4e319c613c04d156bec75e8b91cb4d07b1deb75

SHA512
927048402fb314ef2624776b27317a6f996ea6b3d697d66b8b213d5be9559f24ae0dca8d2f8a9350d32310b8cab071933936640641d297ba522b3af60424df63

Download Submit
/data/user/0/com.pdfview.reader.pdfscann/files/audience_network.dex

Filesize
3.2MB

MD5
dbefc015f722b31d41e6ce0dec958f3f

SHA1
64b526a96766345c346f226935b612a2e203d1c2

SHA256
2c5a36ebc9ff0ff5bb2e1e53949f0ee6c08b368bfc0ec4bf9f6b8d9175cbd8b0

SHA512
94b410d1db8bbaac796078fd7e83933c3db6b38fdf26cf5ab1b5bee9d0612455a17d264f5fd0570181beb16d78b6d69be0b8a798c45ad4dfd99d4e1eb9ac9767

Download Submit
/data/user/0/com.pdfview.reader.pdfscann/files/journey

Filesize
9KB

MD5
c409d388c70ea8ad4fa9360865c761f9

SHA1
1def633ee910d31f50f9f415ae8768149c45dcee

SHA256
2f0fe95c8a02ac85f9383cf7ef5d9937ac93cdc75d75c1f79dd48638ae2eeb1f

SHA512
797d61aa6da7f15404fde84354b833253f9814113649f286162aa766753bf3ab5c678c5aa31805e7eebb6a457a5670e4c06e1ea0486636db464c71cb7c0a50ef

Download Submit
/data/user/0/com.pdfview.reader.pdfscann/files/saudys

Filesize
5KB

MD5
1aa1f9493f5a62883d5512df3ee1c32c

SHA1
d5f6599a22445575bb7b7e21958071d5c87cd170

SHA256
62188b7f0f9f71a33356bcd9019822d4f4f1b077fd715c1236b9ab27598ec376

SHA512
95ce0f1dc39c6309dd826abfe1f5f1f1aff374ce41ae50da12fe6f3d35da60babbc72da8bdb256dd7ab75830e0aeb4fe9e3b1a8ba42753d6f7e7a2e0b3428c12

Download Submit