osiris | 0ab29a1c5c76e79998b45ddc32e3377d3f59bcd99a0f67f3e831ad02996c96b8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Size

568KB
MD5

6f76d0c1fb88337cb281b250e2c178fd
SHA1

c7b1e09633191070ee87a3d5bcd8e2ff3eb48151
SHA256

0ab29a1c5c76e79998b45ddc32e3377d3f59bcd99a0f67f3e831ad02996c96b8
SHA512

c54029e5999b21b631f150469de6ee07c852cf232e51255cc720f14994edcf4e17ded7b1ba6284da9a3afe921cb41700bd718b4983dc6705ae3e9975b59394b1
SSDEEP

12288:1cUCnVQx9b6IRQGCvYC240ImI5b48EKlRg1TdyBurkF0MfkOMvlxiDF:1cUjfbHRQK/4vx16r5aRp

Score

10^/10

osiris banker botnet

Malware Config

Signatures

Osiris
banker botnet osiris
Executes dropped EXE 2 IoCs

Processes:

explorer.exeGetX64BTIT.exe

pid process

3696 explorer.exe
3256 GetX64BTIT.exe
Loads dropped DLL 2 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

pid process

3468 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
3468 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

39 api.ipify.org
40 api.ipify.org
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090
Drops file in Windows directory 1 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\win.ini 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

7536 3696 WerFault.exe explorer.exe

pid	process
3696	explorer.exe
3256	GetX64BTIT.exe

flow	ioc
39	api.ipify.org
40	api.ipify.org

description	ioc	process
File opened for modification	C:\Windows\win.ini	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

pid	pid_target	process	target process
7536	3696	WerFault.exe	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exeexplorer.exe

pid	process
3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe
3696	explorer.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

pid process

3468 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
3468 6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

explorer.exe

pid process

3696 explorer.exe

pid	process
3696	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe

description	pid	process	target process
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe
PID 3468 wrote to memory of 3696	3468	6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6f76d0c1fb88337cb281b250e2c178fd_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Temp\explorer.exe
"C:\Users\Admin\AppData\Local\Temp\explorer.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3696

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
"C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
3⤵
- Executes dropped EXE
PID:3256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3696 -s 1576
3⤵
- Program crash
PID:7536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3696 -ip 3696
1⤵
PID:7512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Proxy

T1090

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\diaeresis.dll
Filesize
10KB

MD5
51921a259471561b82e7b37b08cac3a5

SHA1
a3d991d42e1861f4db64438969116771bc8dbb81

SHA256
32dc82dd46ca4e4937b9f3c31988dde9cd1cfd4c907798d942b13394169f1bf6

SHA512
2446084e48688f37e60116c734dc9c8172e3692b2dde6e915c35f89bed7c383c4c62516680b4a701f3a8d29bcfdf7418f9846c302d4a64f042aabe000b07aa7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\explorer.exe
Filesize
4.2MB

MD5
0155e85852fde62a441cbaf485e023be

SHA1
59482d4b1c0f061426ef71bff8506230faa00701

SHA256
e0689419d3d7879a229ecf3e74639e4e9ba0669ed4574f47b108097593fc9fbc

SHA512
f1a43adb7b0203dc5ad4613da9645070c4da0d15d8788b50644cb80420d4a38151488aa3888da39a6cb17ef6d3f5ebc5fe08ac948dca1fd0c852dceecd3bafff

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse5295.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt
Filesize
28B

MD5
ee3c0e9b87c75ad554eb0bdb745adbd2

SHA1
f81cea14c67774a4c88c5c52bad21334599caba7

SHA256
e0e6eee9bc0508179752fe8454313096895aa11536af5c66aa928ae1d107e915

SHA512
2e25a090e24de4886363edd350d7aec83eb7bd8ceaa1bbc281c7178ccdcfa216a03084a62b330d526ddf8c763bd09d6d04ef2529935f309b0d105702816ea8c7

Download Submit
C:\Windows\win.ini
Filesize
131B

MD5
9848e4efb0abd437d65e6d3d1d973adb

SHA1
f427ac7c50b19f66658ae7f92cbaf21110b49a47

SHA256
c8b84add37da849977a84fe62badb6cb908be99769edb70d60bcd04c0aec2a3f

SHA512
f90f1f65b6b824a526469b8d739f733a54a7f485d8b5f680de7a35fac90786bf6ba5a0b1d62e139663c5ee73b8d687cf32d4ccf188e18c53084ec12d8c216b17

Download Submit
memory/3468-10036-0x0000000002840000-0x0000000002860000-memory.dmp

Filesize
128KB

Download
memory/3468-33-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/3468-27-0x00000000021C0000-0x00000000021C7000-memory.dmp

Filesize
28KB

Download
memory/3468-34-0x00000000021B0000-0x00000000021B1000-memory.dmp

Filesize
4KB

Download
memory/3696-10052-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10047-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/3696-10051-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10050-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10049-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10043-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10053-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10040-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10046-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10060-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10061-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10062-0x00000000005A0000-0x00000000005A6000-memory.dmp

Filesize
24KB

Download
memory/3696-10063-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download
memory/3696-10064-0x0000000000800000-0x000000000089F000-memory.dmp

Filesize
636KB

Download