osiris | c01e5aaf7540b2117aabcbce7d07c18b89c1d86ff5e0e34d5422f3cd35a738a2

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 09:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
Size

606KB
MD5

f0badb4014d0e5a24ffbf4fcf269eb88
SHA1

e5f1633464f46d4d0aebb9e222d5883a4ceff3cf
SHA256

c01e5aaf7540b2117aabcbce7d07c18b89c1d86ff5e0e34d5422f3cd35a738a2
SHA512

af6c06dfbfd402cf1f5d475bf2a84c0ac4a1f1df60b56e95a533d77e770bfc6fa05bf80fd32d71f48c4afb99c05bb621a69e801be04eb7da86f483c65a8bf1b8
SSDEEP

12288:2OXXLhhs2XAFjgYZaOEOAHhly6T6ebnpSXVnf0U0SJvoqnuUD:ryTAVTVpu30SJvo+uU

Score

10^/10

osiris banker botnet persistence

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
2892	GetX64BTIT.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\{657BA90E-2DED-4410-B9B3-A59AB1F6F4BB}\\6815cdb9.exe"	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	api.ipify.org
9	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3516 wrote to memory of 2892	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	90
PID 3516 wrote to memory of 2892	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	90
PID 3516 wrote to memory of 2456	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	77
PID 3516 wrote to memory of 3988	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	78
PID 3516 wrote to memory of 2448	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	79
PID 3516 wrote to memory of 2120	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	80
PID 3516 wrote to memory of 2824	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	81
PID 3516 wrote to memory of 3568	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	83
PID 3516 wrote to memory of 4912	3516	f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe	84
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99
PID 2456 wrote to memory of 4332	2456	msedge.exe	99

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x258,0x7ffe66152e98,0x7ffe66152ea4,0x7ffe66152eb0
  2⤵
  PID:3988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2272 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2312 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2588 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5308 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5572 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:4332

C:\Users\Admin\AppData\Local\Temp\f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f0badb4014d0e5a24ffbf4fcf269eb88_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3516
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
235ed756c5323da2090ec4a5246f31ba

SHA1
ce96c2d9e7d8d0f4c2d13220c320e718d82985c1

SHA256
d1d100a089cfe26d8f0dc06f0bbb91d2207cd1f5cb79659dd17a05a09ecdc66e

SHA512
f1ff71deea9dad8a66fafadd76690bbcfc77329ca87fc5f54fe84cb26cc14dceebaadec47762829f71b637523841ec787182997292035bffa737e0969f29b335

Download Submit
memory/3516-0-0x0000000005840000-0x000000000585D000-memory.dmp

Filesize
116KB

Download
memory/3516-8-0x0000000005840000-0x000000000585D000-memory.dmp

Filesize
116KB

Download