Overview

overview

10

Static

static

3

5249cba6e9...18.exe

windows7-x64

10

5249cba6e9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/03/2024, 08:58 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe

  • Size

    418KB

  • MD5

    5249cba6e9ad2cc38bb1dd7fa259e854

  • SHA1

    518e393a330d5edbb88c4d059df35ecfb634ccb7

  • SHA256

    608e74643884b5e54701cf0e7a15dbf18ff2a86676f94b118ff1dafa3b4e03dd

  • SHA512

    cf1b31bd9cb9358de9b3acbe03222ff90fd0f9ecaca6c4a7bea3f5b97ceae5f60ab06833d6f7dca2fd69798260d9a328145c08aa4189f2fbac5db041b1b9aa16

  • SSDEEP

    6144:Yz3ogwdGRIHLeJs3dfn2Vjcn/Vgth59QFCMSiBtX3Y42Tv25aoZ1Y:YroNdpCJEf2VIn/Vs3SCgrYFkNS

Score
10/10
oskiinfostealerspywarestealer

Malware Config

Extracted

Family

oski

C2

samkoproducts.xyz

Signatures

  • Oski

    Oski is an infostealer targeting browser data, crypto wallets.

    infostealeroski
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe"
      2⤵
        PID:2472
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2472 -s 1312
          3⤵
          • Program crash
          PID:2904
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2472 -ip 2472
      1⤵
        PID:4532

      Network

      • flag-us
        DNS
        58.55.71.13.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        58.55.71.13.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        0.205.248.87.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        0.205.248.87.in-addr.arpa
        IN PTR
        Response
        0.205.248.87.in-addr.arpa
        IN PTR
        https-87-248-205-0lgwllnwnet
      • flag-us
        DNS
        178.223.142.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        178.223.142.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        133.32.126.40.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        133.32.126.40.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        149.220.183.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        149.220.183.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        104.219.191.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        104.219.191.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        183.59.114.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        183.59.114.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        171.39.242.20.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        171.39.242.20.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        samkoproducts.xyz
        5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
        Remote address:
        8.8.8.8:53
        Request
        samkoproducts.xyz
        IN A
        Response
      • flag-us
        DNS
        217.135.221.88.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        217.135.221.88.in-addr.arpa
        IN PTR
        Response
        217.135.221.88.in-addr.arpa
        IN PTR
        a88-221-135-217deploystaticakamaitechnologiescom
      • flag-us
        DNS
        14.227.111.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        14.227.111.52.in-addr.arpa
        IN PTR
        Response
      • flag-us
        DNS
        209.143.182.52.in-addr.arpa
        Remote address:
        8.8.8.8:53
        Request
        209.143.182.52.in-addr.arpa
        IN PTR
        Response
      No results found
      • 8.8.8.8:53
        58.55.71.13.in-addr.arpa
        dns
        70 B
         144 B
         1
        1

        DNS Request

        58.55.71.13.in-addr.arpa

      • 8.8.8.8:53
        0.205.248.87.in-addr.arpa
        dns
        71 B
         116 B
         1
        1

        DNS Request

        0.205.248.87.in-addr.arpa

      • 8.8.8.8:53
        178.223.142.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        178.223.142.52.in-addr.arpa

      • 8.8.8.8:53
        133.32.126.40.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        133.32.126.40.in-addr.arpa

      • 8.8.8.8:53
        149.220.183.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        149.220.183.52.in-addr.arpa

      • 8.8.8.8:53
        104.219.191.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        104.219.191.52.in-addr.arpa

      • 8.8.8.8:53
        183.59.114.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        183.59.114.20.in-addr.arpa

      • 8.8.8.8:53
        171.39.242.20.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        171.39.242.20.in-addr.arpa

      • 8.8.8.8:53
        samkoproducts.xyz
        dns
        5249cba6e9ad2cc38bb1dd7fa259e854_JaffaCakes118.exe
        63 B
         128 B
         1
        1

        DNS Request

        samkoproducts.xyz

      • 8.8.8.8:53
        217.135.221.88.in-addr.arpa
        dns
        73 B
         139 B
         1
        1

        DNS Request

        217.135.221.88.in-addr.arpa

      • 8.8.8.8:53
        14.227.111.52.in-addr.arpa
        dns
        72 B
         158 B
         1
        1

        DNS Request

        14.227.111.52.in-addr.arpa

      • 8.8.8.8:53
        209.143.182.52.in-addr.arpa
        dns
        73 B
         147 B
         1
        1

        DNS Request

        209.143.182.52.in-addr.arpa

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/648-8-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/648-9-0x0000000005740000-0x0000000005750000-memory.dmp

        Filesize

        64KB

        Download

      • memory/648-2-0x0000000005A80000-0x0000000006024000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/648-3-0x0000000005570000-0x0000000005602000-memory.dmp

        Filesize

        584KB

        Download

      • memory/648-4-0x0000000005740000-0x0000000005750000-memory.dmp

        Filesize

        64KB

        Download

      • memory/648-5-0x0000000005720000-0x000000000572A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/648-6-0x0000000006D40000-0x0000000006DDC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/648-7-0x00000000059D0000-0x00000000059DE000-memory.dmp

        Filesize

        56KB

        Download

      • memory/648-1-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/648-10-0x0000000006CA0000-0x0000000006CFC000-memory.dmp

        Filesize

        368KB

        Download

      • memory/648-0-0x0000000000B60000-0x0000000000BCE000-memory.dmp

        Filesize

        440KB

        Download

      • memory/648-16-0x0000000074970000-0x0000000075120000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2472-14-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2472-13-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2472-15-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2472-11-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      • memory/2472-19-0x0000000000400000-0x0000000000438000-memory.dmp

        Filesize

        224KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.