oski | 9d4388563479b260352b5a5e00b5468315c27febd66b4428407f64126372306f

General

Target

cdfbd789618943e68323a61e3f36c905_JaffaCakes118.ps1
Size

363KB
MD5

cdfbd789618943e68323a61e3f36c905
SHA1

8df62d6b66925f9c091ef285e7db70703922e317
SHA256

9d4388563479b260352b5a5e00b5468315c27febd66b4428407f64126372306f
SHA512

a446c80e832c34a2c1b92af649362cccae1f558ecca8f8229c8b3738ed5c2c63c82cf5d1fde3f355231e3832fc4a9c76b006092e20182354265a9d8dc0583c5f
SSDEEP

1536:EUsNE7WNSVZF13AH5YAQIDDPK44rVL/GglenfNqYoKLE3nWNjwNxRpy1F5J7khmP:N9G

Score

10^/10

oski infostealer

Malware Config

Extracted

Family

oski

C2

103.125.190.248/i1/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description	pid	Process	procid_target
PID 5080 set thread context of 1244	5080	powershell.exe	92

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1440	1244	WerFault.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
5080	powershell.exe
5080	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	5080	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

powershell.execsc.exe

description	pid	Process	procid_target
PID 5080 wrote to memory of 2756	5080	powershell.exe	89
PID 5080 wrote to memory of 2756	5080	powershell.exe	89
PID 2756 wrote to memory of 1936	2756	csc.exe	90
PID 2756 wrote to memory of 1936	2756	csc.exe	90
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92
PID 5080 wrote to memory of 1244	5080	powershell.exe	92

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\cdfbd789618943e68323a61e3f36c905_JaffaCakes118.ps1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k2pkfhit\k2pkfhit.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES511D.tmp" "c:\Users\Admin\AppData\Local\Temp\k2pkfhit\CSCC3DA2EE88D7F48BC83668AAA59823681.TMP"
    3⤵
    PID:1936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1244 -s 544
    3⤵
    - Program crash
    PID:1440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1244 -ip 1244
1⤵
PID:1952

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES511D.tmp

Filesize
1KB

MD5
6645aa4009527459ea0ac6193f231da5

SHA1
06fe50ecccdc154b880e225ecddede069780fdb7

SHA256
a01011ea71357895b0a25493fbf32bd9d7484332d794ce5c08f72ab3690ed197

SHA512
345e2ee534a003147768dd9b818a0ee8aafc2c7235f0fa4c2b68fb0e505485b928b59c6235adcb1127210c4d8d45006d0b0e66f3ba371473021a7b7437dcd59b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1ungi1dq.ltz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2pkfhit\k2pkfhit.dll

Filesize
13KB

MD5
a7931cf365de85696b365b1205bc446a

SHA1
416b31afcdc14282795b02efc2b1a3550bc09ca6

SHA256
14a5a5783b22141bbcff84ebf5dbd3f7bf97592edf63e51255f628e21d2eacab

SHA512
4f6885f24450c383d6e49d67bbf1382302d5a95e39963cf8fd64cac0da5d9ab61e4c054a747b1f4e70fd01e7e5d54dc46e343a8ef1f85e977c79fb02a325131b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2pkfhit\CSCC3DA2EE88D7F48BC83668AAA59823681.TMP

Filesize
652B

MD5
58b668dd6bd68ce95d76f1740da1f54c

SHA1
1a497bf25d04814e370b5bd6301c7cd09aa3d1f6

SHA256
afe443a3a77ce7bdb3a79db921ca0a5aba743beead935fbeac23ed4bed93d27e

SHA512
817bde7f302945840d287a96e1d4d578b37d48e75e2069d399b5cb32eeab1a8e5bffc5523bc63820bf42580942f2067a6d0d06e4f94fc158b097d990b5075ded

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2pkfhit\k2pkfhit.0.cs

Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\k2pkfhit\k2pkfhit.cmdline

Filesize
327B

MD5
3eab4e88214b9767eeb46689ca0b4548

SHA1
39785f083ba69409927080c2f787262d9a967fea

SHA256
c71c97dcfc0235f6b7e1adf3bb4d3ec48f9b31fb751ba9aea9db12b35063a9db

SHA512
bdb37893bda2b594db7aaba2c1ba416877b004f9af7d6c8a297e22eeeead176fbff0219a62fa51dfb1b30920b90391fd8755fc02a1940a133a9acc3015a14035

Download Submit
memory/1244-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1244-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1244-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1244-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5080-13-0x0000019EC7340000-0x0000019EC73B6000-memory.dmp

Filesize
472KB

Download
memory/5080-12-0x0000019EC6F30000-0x0000019EC6F40000-memory.dmp

Filesize
64KB

Download
memory/5080-11-0x0000019EC6F30000-0x0000019EC6F40000-memory.dmp

Filesize
64KB

Download
memory/5080-10-0x00007FF9EF1E0000-0x00007FF9EFCA1000-memory.dmp

Filesize
10.8MB

Download
memory/5080-26-0x0000019EAE7F0000-0x0000019EAE7FA000-memory.dmp

Filesize
40KB

Download
memory/5080-0-0x0000019EC6DE0000-0x0000019EC6E02000-memory.dmp

Filesize
136KB

Download
memory/5080-31-0x00007FF9EF1E0000-0x00007FF9EFCA1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads