osiris | 821f5310b1730641b6578ac9ce0173802db407192afdb30039f941df1ff8f1c2

Analysis

max time kernel
150s
max time network
135s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
18/05/2024, 07:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe
Size

1.5MB
MD5

53a9319f71e5c132dc2ec045908f627d
SHA1

a5a3904a9e99bb8a1d637a4d60163ebedcc85ffc
SHA256

821f5310b1730641b6578ac9ce0173802db407192afdb30039f941df1ff8f1c2
SHA512

8f26e1ac756f4c67db83228b7a9647b7edd3d9614a45829e1a413603758e5272dca861af616397be2b737085c694d88ad729dc7ab3f512c138f70d15ee36e30f
SSDEEP

24576:iUzD931mlZz47ls/tHwva9dJ5rUb7Yzx6ZxBUOX4bCN32fGcekEJcy4fnvNbtfdw:imDrmDbNQZFobAKhjZ9bXE

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 2 IoCs

pid	Process
3024	cmd.exe
2308	GetX64BTIT.exe

Loads dropped DLL 2 IoCs

pid	Process
1796	ipconfig.exe
3024	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	api.ipify.org
20	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\svm.job	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1796	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe
1796	ipconfig.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe
3024	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1796	ipconfig.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3024	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 3000 wrote to memory of 1796	3000	53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe	28
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32
PID 1796 wrote to memory of 3024	1796	ipconfig.exe	32

C:\Users\Admin\AppData\Local\Temp\53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\53a9319f71e5c132dc2ec045908f627d_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe"
  2⤵
  - Loads dropped DLL
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\cmd.exe
    "C:\Users\Admin\AppData\Local\Temp\cmd.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3024
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:2308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
deab6d3492dac457dd674c1a9347cec3

SHA1
a8de2997ed83d24adcd0eb90a4dc15d2ec1ab665

SHA256
770fde968152c799d75bd045ebfa94bf61500450dc3f7f556bdc3a1941f284b4

SHA512
a9174039d7c8404329933cf37f1d0dfab7bbc66f3d0fb370a5aa815fa25aa091c6958d73df4276b47a14ec4879da68b34d9aef88c49c0522dd9fe663a1d22f13

Download Submit
\Users\Admin\AppData\Local\Temp\cmd.exe

Filesize
295KB

MD5
ad7b9c14083b52bc532fba5948342b98

SHA1
ee8cbf12d87c4d388f09b4f69bed2e91682920b5

SHA256
17f746d82695fa9b35493b41859d39d786d32b23a9d2e00f4011dec7a02402ae

SHA512
e12aad20c824187b39edb3c7943709290b5ddbf1b4032988db46f2e86da3cf7e7783f78c82e4dc5da232f666b8f9799a260a1f8e2694eb4d0cdaf78da710fde1

Download Submit
memory/1796-38-0x00000000045C0000-0x0000000004642000-memory.dmp

Filesize
520KB

Download
memory/1796-2-0x00000000000D0000-0x00000000000D2000-memory.dmp

Filesize
8KB

Download
memory/1796-27-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1796-28-0x00000000045C0000-0x0000000004642000-memory.dmp

Filesize
520KB

Download
memory/3000-1-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/3000-3-0x0000000000400000-0x0000000000592000-memory.dmp

Filesize
1.6MB

Download
memory/3000-23-0x00000000003F0000-0x00000000003F9000-memory.dmp

Filesize
36KB

Download
memory/3000-0-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/3024-44-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-56-0x00000000001F0000-0x000000000020F000-memory.dmp

Filesize
124KB

Download
memory/3024-42-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-37-0x0000000000090000-0x0000000000097000-memory.dmp

Filesize
28KB

Download
memory/3024-46-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-45-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-43-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-41-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-54-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/3024-59-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-58-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-60-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-61-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-63-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3024-65-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download