oski | 890c9830635eb1674ed15a65790905fbe3ad80eb087ee7433e6da159ddc5cb00

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-04-2024 21:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe
Size

985KB
MD5

a716d9eeea5b456cfdec69a1b34ccc96
SHA1

e757774843c0305a05ee18159f180ae71511c45b
SHA256

890c9830635eb1674ed15a65790905fbe3ad80eb087ee7433e6da159ddc5cb00
SHA512

d5516c9b71a21db1867c7861ec472626de5969bf1293eea7a8964830401435cc0b73f9673e768b6652a8611a539331911aa3df6527c3a5daf61cf43ac25a1104
SSDEEP

24576:yQHyDJBjAObi4M2rIDTU4fmj6J/d28+buJqQlxTB8mv:yQSdBfbiyrIDovj6ldnkQlVB3

Score

10^/10

oski infostealer persistence spyware stealer

Malware Config

Extracted

Family

oski

45.87.2.131

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 3 IoCs

pid	Process
4620	winlogon.com
2924	winlogon.com
4900	winlogon.com

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2924 set thread context of 4900	2924	winlogon.com	103

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5008	4900	WerFault.exe	103
1688	4900	WerFault.exe	103

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
3076	PING.EXE
1856	PING.EXE

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4620	winlogon.com
4620	winlogon.com
4620	winlogon.com
2924	winlogon.com
2924	winlogon.com
2924	winlogon.com

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4620	winlogon.com
4620	winlogon.com
4620	winlogon.com
2924	winlogon.com
2924	winlogon.com
2924	winlogon.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4036 wrote to memory of 1600	4036	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	85
PID 4036 wrote to memory of 1600	4036	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	85
PID 4036 wrote to memory of 1600	4036	a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe	85
PID 1600 wrote to memory of 2708	1600	cmd.exe	87
PID 1600 wrote to memory of 2708	1600	cmd.exe	87
PID 1600 wrote to memory of 2708	1600	cmd.exe	87
PID 2708 wrote to memory of 3076	2708	cmd.exe	89
PID 2708 wrote to memory of 3076	2708	cmd.exe	89
PID 2708 wrote to memory of 3076	2708	cmd.exe	89
PID 2708 wrote to memory of 1692	2708	cmd.exe	90
PID 2708 wrote to memory of 1692	2708	cmd.exe	90
PID 2708 wrote to memory of 1692	2708	cmd.exe	90
PID 2708 wrote to memory of 4620	2708	cmd.exe	93
PID 2708 wrote to memory of 4620	2708	cmd.exe	93
PID 2708 wrote to memory of 4620	2708	cmd.exe	93
PID 2708 wrote to memory of 1856	2708	cmd.exe	94
PID 2708 wrote to memory of 1856	2708	cmd.exe	94
PID 2708 wrote to memory of 1856	2708	cmd.exe	94
PID 4620 wrote to memory of 2924	4620	winlogon.com	95
PID 4620 wrote to memory of 2924	4620	winlogon.com	95
PID 4620 wrote to memory of 2924	4620	winlogon.com	95
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103
PID 2924 wrote to memory of 4900	2924	winlogon.com	103

C:\Users\Admin\AppData\Local\Temp\a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a716d9eeea5b456cfdec69a1b34ccc96_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < URirtTcZTgDGUQbemk.com
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\SysWOW64\PING.EXE
      ping -n 1 EQcI.sDZ
      4⤵
      Runs ping.exe
      PID:3076
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode wFhAqQFeTfPmKWtV.com H
      4⤵
      Manipulates Digital Signatures
      PID:1692
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
      winlogon.com H
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com H
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2924
      - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com
        6⤵
        Executes dropped EXE
        
        PID:4900
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1228
        7⤵
        Program crash
        
        PID:5008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 1260
        7⤵
        Program crash
        
        PID:1688
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1 -n 3
      4⤵
      Runs ping.exe
      PID:1856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:4844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4900 -ip 4900
1⤵
PID:3764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
273B

MD5
ccfc8ab23a9953199a432861b4e0de7e

SHA1
04487a1cfaa670a40fdc0bf6b5fb076cbc7f8c87

SHA256
e020b09fdbe37971c011fa1f13ab24f20092c07baf331287666d333467bb03a0

SHA512
67cc519b9e519a0a30409e0511dd590a3074a2e45c1bf7e250114de5dcad545375c89242c51a838b52e04d0d934b9ba83c514a56389d5ff8055179b12f7f23d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\H

Filesize
493KB

MD5
9524d7b3a00ece4d4fa333165f539c9e

SHA1
ee1afa76cb6e29db17764b9984f0bc594102fd62

SHA256
251156300dc58346dafbe4547985647b1c624dde9dac7f303019ccad42c096c4

SHA512
32b5d434506725eaf7f7f7729097ddec529881e633ddecddc065611c303d4b92d3d027e71a4a887eb27df3b36e4519baba563b24303ba65ccfae1cb65fe364c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\URirtTcZTgDGUQbemk.com

Filesize
358B

MD5
849f5d7dea7512855df4aa0efa683d46

SHA1
cb8f34c8696a9905383649d39e6fb4470f2b3b15

SHA256
337c2d3990188ce1ac1e225b586270da3d49e9c12e9e6a78b4c693e0fa3bdc69

SHA512
1809c3f641fe34cca73a58e6da4dad458f24f3eb22188aa6f545fc310efeb0dd4811797ba8f2df43fa79b38d08331f5b7920ecec9126f855a48395371fff4ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ZOECwPkNX.com

Filesize
921KB

MD5
df6fbc5de331f39be67e2b343ff02083

SHA1
2791147f5aba7d5242d531f0444695b9fecb3c42

SHA256
ccefe3c453a32c04dd03e835879aceae0b96e7d25359dc05a8cfa7a880c21936

SHA512
35e1b55975104e9ddf24fc2842848f63c954f6e69bf8a4df370caaad43ff01f259fbd4e96e45bcbd2287192551afa3df5f9ad8726a3331d80a9c53fa558bf8a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\jtLmogvJ.com

Filesize
200KB

MD5
92d41846075c70c50db6181bd85ef622

SHA1
7ae2891bbc3d4c81eb3c214e0f0e6fa1071381fb

SHA256
3599a4a60536804cc36edd8acb49861799892870ed728eea898fda2eff14074f

SHA512
ab5d92242cffc2787a503cf708bd5a89dabc60f7a5c039b1b940e415d9ddb02f7987855cff5417777e1375160fa5ef524acf187995f0ca30b2d0c931c25483c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\wFhAqQFeTfPmKWtV.com

Filesize
678KB

MD5
956bdc5c52451334027c30a37df6623c

SHA1
b2cac7317ab6c52f72034d9d08bcc39d58ea08b6

SHA256
8554810aa4cd6aaf265bcb0f53a77bda66318d2d8654b1942f5b8e5ed8ae6e31

SHA512
8f519cd12517552ea04873b1dae65bb4a24d5ab2fab24dedf5e06c36837fb5931602091c046ac96fe55ce7424ecdf4288c2a516e1e1449c646fd39664aed9f5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.com

Filesize
921KB

MD5
78ba0653a340bac5ff152b21a83626cc

SHA1
b12da9cb5d024555405040e65ad89d16ae749502

SHA256
05d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7

SHA512
efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317

Download Submit
memory/2924-21-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/4900-22-0x0000000012CC0000-0x0000000012CF8000-memory.dmp

Filesize
224KB

Download
memory/4900-25-0x0000000012CC0000-0x0000000012CF8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads