oski | d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693

General

Target

e4086615e3011d916a50689cef433c77_JaffaCakes118.exe
Size

5.4MB
MD5

e4086615e3011d916a50689cef433c77
SHA1

24c38d07046c2781f01d98ae3d7b1d9a80ea69e0
SHA256

d94c8028fa7fd7062dc2cd8c78b458d68bc7c8e8e260afc827bef217aeeac693
SHA512

06ed1a259f5d6f668508399e61a4465eabd642f966ea0903746ac6b4981f5df7bdaef2de231d1b50f5d271b357435aed21b81b66ed2fca78e219ea72d8db7966
SSDEEP

98304:3EAKCzqdfS72BW2WLASB3MgsESIXaM3dm8j6o8DQDvALRmn6BKVq:0LNS7tASVMgdR3sWx5LALonQK4

Score

10^/10

oski stormkitty infostealer spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 3 IoCs

resource	yara_rule
behavioral2/files/0x000f000000023152-6.dat	family_stormkitty
behavioral2/memory/4772-22-0x00000000003C0000-0x0000000000410000-memory.dmp	family_stormkitty
behavioral2/memory/4772-28-0x0000000000CD0000-0x0000000000D44000-memory.dmp	family_stormkitty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
4772	Microsoft Update.exe
4904	Cliper.exe
3928	MACGen.v1.7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
20	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2452	4904	WerFault.exe	86

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
4772	Microsoft Update.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4772	Microsoft Update.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3928	MACGen.v1.7.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1384 wrote to memory of 4772	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4772	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	85
PID 1384 wrote to memory of 4904	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	86
PID 1384 wrote to memory of 4904	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	86
PID 1384 wrote to memory of 4904	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	86
PID 1384 wrote to memory of 3928	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	87
PID 1384 wrote to memory of 3928	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	87
PID 1384 wrote to memory of 3928	1384	e4086615e3011d916a50689cef433c77_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\e4086615e3011d916a50689cef433c77_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e4086615e3011d916a50689cef433c77_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\Cliper.exe
  "C:\Users\Admin\AppData\Local\Temp\Cliper.exe"
  2⤵
  - Executes dropped EXE
  PID:4904
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4904 -s 1364
    3⤵
    - Program crash
    PID:2452
- C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe
  "C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4904 -ip 4904
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\sqlite3.dll

Filesize
107B

MD5
2f802469be5b799c42b304ebcb375613

SHA1
4208ce7180eb8fe0f4587cb39292b96099f6c45d

SHA256
7fcd4aff440def92db5231ce4ef9611acffd75cb8518f15a92b8bbf87591576f

SHA512
742dee675cbb7e6c72e120878ad21366c6bc57d47da7f66a39f9d9911a1a4e310a2bac65d26e63fd1a0cb57fa22397f6f2c9042a7d8fb90e9a47c89306777268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cliper.exe

Filesize
200KB

MD5
94835b6d4af91fc977e840d64adaa485

SHA1
77635f373780022f21f74ade8ee80d0e652248ed

SHA256
9e2455642e046af82e21bdc6bc8659a5acc10796e383dcd7064227b0e8c6675b

SHA512
c1ff6e810d1f3476e635a206ef7b9e762230e29a0608cb961df6931d415315e1661277f2cebb2bdd15ef8291c5adae7311f97f0690aefea8fc4a3af1665d779a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MACGen.v1.7.exe

Filesize
16.0MB

MD5
b9811425b010c92811573d4a1b94e90f

SHA1
a10a1b1b7d762fcc28b1ca16a09684305b0e8666

SHA256
8fb5143ef3cb8d3e8a83a42c90a74d68d7b9c4d56cfd2caa93f8bd575e7c04a7

SHA512
8c0d4cdad37f82c6fdad3aaee35fa4048e6f3a1f94d81fd8f40800173e3dc893c3f93b29de4d55923b5ff6d1d31c19b10ac58b017c5f34501f44f4598494fb08

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe

Filesize
310KB

MD5
56b988f42827cff418d61f5738beb321

SHA1
d1440332895941edfa037d425eff00c109cfc15a

SHA256
43f322f83191d6990afee7dc4b5528e217e162b434afe06478f191d76b64d939

SHA512
2792bd3e0a1750fce7f33a06f78bb23df20ab6c841b5228d0cd3709afe578fc0af0596e9e9d7ec958a3a3b103df014b7db8fd7fe323e993e32971b3460af1506

Download Submit
memory/3928-34-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/3928-48-0x0000000000400000-0x0000000001415000-memory.dmp

Filesize
16.1MB

Download
memory/3928-56-0x0000000001650000-0x0000000001651000-memory.dmp

Filesize
4KB

Download
memory/4772-29-0x00007FFA64800000-0x00007FFA652C1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-28-0x0000000000CD0000-0x0000000000D44000-memory.dmp

Filesize
464KB

Download
memory/4772-30-0x0000000000D40000-0x0000000000D46000-memory.dmp

Filesize
24KB

Download
memory/4772-33-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download
memory/4772-22-0x00000000003C0000-0x0000000000410000-memory.dmp

Filesize
320KB

Download
memory/4772-52-0x00007FFA64800000-0x00007FFA652C1000-memory.dmp

Filesize
10.8MB

Download
memory/4772-55-0x000000001BF60000-0x000000001BF70000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing