osiris | 0ab29a1c5c76e79998b45ddc32e3377d3f59bcd99a0f67f3e831ad02996c96b8

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
24-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Size

568KB
MD5

6f76d0c1fb88337cb281b250e2c178fd
SHA1

c7b1e09633191070ee87a3d5bcd8e2ff3eb48151
SHA256

0ab29a1c5c76e79998b45ddc32e3377d3f59bcd99a0f67f3e831ad02996c96b8
SHA512

c54029e5999b21b631f150469de6ee07c852cf232e51255cc720f14994edcf4e17ded7b1ba6284da9a3afe921cb41700bd718b4983dc6705ae3e9975b59394b1
SSDEEP

12288:1cUCnVQx9b6IRQGCvYC240ImI5b48EKlRg1TdyBurkF0MfkOMvlxiDF:1cUjfbHRQK/4vx16r5aRp

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 2 IoCs

Processes:

explorer.exeGetX64BTIT.exe

pid process

34388 explorer.exe
34568 GetX64BTIT.exe

pid	process
34388	explorer.exe
34568	GetX64BTIT.exe

Loads dropped DLL 4 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exeexplorer.exe

pid	process
2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
34388	explorer.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

7 api.ipify.org
8 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
7	api.ipify.org
8	api.ipify.org

description	ioc	process
File opened for modification	C:\Windows\win.ini	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exeexplorer.exe

pid	process
2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe
34388	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

pid process

2132 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

34388 explorer.exe

pid	process
34388	explorer.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exeexplorer.exe

description	pid	process	target process
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 2132 wrote to memory of 34388	2132	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 34388 wrote to memory of 34568	34388	explorer.exe	GetX64BTIT.exe
PID 34388 wrote to memory of 34568	34388	explorer.exe	GetX64BTIT.exe
PID 34388 wrote to memory of 34568	34388	explorer.exe	GetX64BTIT.exe
PID 34388 wrote to memory of 34568	34388	explorer.exe	GetX64BTIT.exe

C:\Users\Admin\AppData\Local\Temp\6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:34388

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:34568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
2.5MB

MD5
40d777b7a95e00593eb1568c68514493

SHA1
89a175a12bc20104770d0ef83e553f8b0e06274b

SHA256
0a8ce026714e03e72c619307bd598add5f9b639cfd91437cb8d9c847bf9f6894

SHA512
d5719baef8bef791ef99b4c88d449d45f199638438bd929c1a3e7a74309931c72e03567633135a4fcf4c92e2b53e552f9526cba2e1d85383906d3c1aa21dd67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
1dcc59a9b7981689c9d6b84962c19010

SHA1
90f084a05e16def425c1c2bb2268a09deb6ccdda

SHA256
2be469c38ae9b07bc1b26c59d7e88b22dd26e649548fbd23bee9fc0533a1cece

SHA512
f6d5acce634516e7773b1a868a5c00f9402399426248ef6d8ca92abeb729d88c54dc38467578e4304f130a463f99660d11fcfdfdadfbbfc563462637a5b2426f

Download Submit
C:\Windows\win.ini
Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
\Users\Admin\AppData\Local\Temp\diaeresis.dll
Filesize
10KB

MD5
51921a259471561b82e7b37b08cac3a5

SHA1
a3d991d42e1861f4db64438969116771bc8dbb81

SHA256
32dc82dd46ca4e4937b9f3c31988dde9cd1cfd4c907798d942b13394169f1bf6

SHA512
2446084e48688f37e60116c734dc9c8172e3692b2dde6e915c35f89bed7c383c4c62516680b4a701f3a8d29bcfdf7418f9846c302d4a64f042aabe000b07aa7a

Download Submit
\Users\Admin\AppData\Local\Temp\nst3FB0.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/2132-10037-0x00000000029A0000-0x00000000029C0000-memory.dmp

Filesize
128KB

Download
memory/2132-28-0x0000000000550000-0x0000000000557000-memory.dmp

Filesize
28KB

Download
memory/2132-38-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2132-39-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/34388-10048-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10062-0x00000000002C0000-0x00000000002DE000-memory.dmp

Filesize
120KB

Download
memory/34388-10050-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10049-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10044-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10052-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10051-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10045-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/34388-10043-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10047-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10060-0x0000000010000000-0x0000000010015000-memory.dmp

Filesize
84KB

Download
memory/34388-10064-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10063-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10065-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/34388-10066-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10067-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10070-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10072-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10073-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/34388-10074-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download