osiris | b87cfba8a4f2329b0b372326a7f169f5896459a6bdae0ad8857b576129722204

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-05-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
Size

538KB
MD5

41b93173a8b5583daaf090438fb05004
SHA1

a0db1a8f024e95fbc5c4c4930a4f6f905bbcab24
SHA256

b87cfba8a4f2329b0b372326a7f169f5896459a6bdae0ad8857b576129722204
SHA512

a770ed85694301daa0b8f9c46dbc25207411b888d6d1a358a816590f0c3bbfad05bd438545554e6c3ce391be6b640acbf69819f38aab0dd235caf2d17962be57
SSDEEP

12288:kNi7Ynlwt1fL+RcGNh25nxXLZmW2PjlyjkvGha:kNk+lwrEcEc5nRLZj2PjlyTa

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 2 IoCs

pid	Process
17608	notepad.exe
17876	GetX64BTIT.exe

Loads dropped DLL 4 IoCs

pid	Process
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
17608	notepad.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	api.ipify.org
4	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe
17608	notepad.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
17608	notepad.exe

Suspicious use of WriteProcessMemory 52 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 2424 wrote to memory of 17608	2424	41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe	28
PID 17748 wrote to memory of 17788	17748	DllHost.exe	30
PID 17748 wrote to memory of 17788	17748	DllHost.exe	30
PID 17748 wrote to memory of 17788	17748	DllHost.exe	30
PID 17748 wrote to memory of 17788	17748	DllHost.exe	30
PID 17788 wrote to memory of 17816	17788	cmd.exe	32
PID 17788 wrote to memory of 17816	17788	cmd.exe	32
PID 17788 wrote to memory of 17816	17788	cmd.exe	32
PID 17788 wrote to memory of 17816	17788	cmd.exe	32
PID 17608 wrote to memory of 17876	17608	notepad.exe	33
PID 17608 wrote to memory of 17876	17608	notepad.exe	33
PID 17608 wrote to memory of 17876	17608	notepad.exe	33
PID 17608 wrote to memory of 17876	17608	notepad.exe	33

C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41b93173a8b5583daaf090438fb05004_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Users\Admin\AppData\Local\Temp\notepad.exe
  "C:\Users\Admin\AppData\Local\Temp\notepad.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:17608
- - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
    "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
    3⤵
    - Executes dropped EXE
    PID:17876

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- Suspicious use of WriteProcessMemory
PID:17748
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache" /t REG_DWORD /d 0"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:17788
- - C:\Windows\SysWOW64\reg.exe
    reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /v "C:\Users\Admin\AppData\Roaming\Adobe\Flash Player\NativeCache" /t REG_DWORD /d 0
    3⤵
    PID:17816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
56b269fe2de1881b840e7b4d5a3731c1

SHA1
83a375b5674c4717f2b1456029d4126c1b3a79d0

SHA256
e9592a5df9659f5d5e45ba2f6790a7d3f3b74aaaf62e0e4798eaa8a8f7f56942

SHA512
9c6a865620fceceea086c9faf13bf12b8dbc4defc2aebd0123486dcaf46a63d068c6133379df1dadb04347cb43f51fa47bc3e286d2987798b05219e2f2fe8ddf

Download Submit
C:\Windows\win.ini

Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\notepad.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\nsy24B2.tmp\System.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
\Users\Admin\AppData\Local\Temp\planula.dll

Filesize
72KB

MD5
6abeff0d3c52cf017e36e941f035c3e9

SHA1
ba0f193dd98a5502c29c4f5671ed066e2a3ae38c

SHA256
da93766a660b71b43492920bdb0478359fe86a17a3f51a0329cf6ac77e0852b2

SHA512
8b256cc4787c7aee904e36c3772916a5d06c5bde96e9bda3897ca1e7e7e1099d5e46e0d921bed64a1633a91508301ee8568211f02d7dac5dde9f84a57a5ac0a7

Download Submit
memory/2424-33-0x0000000001DD0000-0x0000000001DD2000-memory.dmp

Filesize
8KB

Download
memory/2424-35-0x00000000029A0000-0x00000000029B1000-memory.dmp

Filesize
68KB

Download
memory/2424-41-0x0000000001DE0000-0x0000000001DE1000-memory.dmp

Filesize
4KB

Download
memory/2424-10043-0x00000000029C0000-0x00000000029E0000-memory.dmp

Filesize
128KB

Download
memory/17608-10056-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10069-0x00000000003E0000-0x00000000003FE000-memory.dmp

Filesize
120KB

Download
memory/17608-10054-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10057-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10051-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/17608-10055-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10058-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10059-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10049-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10053-0x00000000000F0000-0x00000000000F3000-memory.dmp

Filesize
12KB

Download
memory/17608-10067-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/17608-10071-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10070-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10050-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10073-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10072-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10074-0x0000000000100000-0x0000000000106000-memory.dmp

Filesize
24KB

Download
memory/17608-10076-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/17608-10079-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download