oski | d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13

General

Target

5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
Size

301KB
MD5

5e45692f423e4f683e1c246679e6d572
SHA1

bdc1cf9aa3625fc0d514628a55c767c8ed07e17b
SHA256

d40dedd7f637a1ef9703b582a6d536469d1cf62bddc1a462a9cceeb7f9194f13
SHA512

93de1b3cc9601adc6af8c2bdedec1633dfd82cc6a09d327836df2af628423db52174e1d9f6a241045a9ef593f0edd65e2b3a2797a64cbed73b2c54231ba0692c
SSDEEP

6144:8DKW1Lgbdl0TBBvjc/VddFYZF2IqG4qKBNDgEpxpAvtWbROF2:qh1Lk70TnvjcndMFJSPBNDvGvwbRe2

Score

10^/10

oski infostealer spyware stealer

Malware Config

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3244	chrmuim.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2400	3244	WerFault.exe	86

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3412 wrote to memory of 3244	3412	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	86
PID 3412 wrote to memory of 3244	3412	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	86
PID 3412 wrote to memory of 3244	3412	5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe	86

C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5e45692f423e4f683e1c246679e6d572_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Users\Admin\AppData\Local\Temp\chrmuim.exe
  "C:\Users\Admin\AppData\Local\Temp\chrmuim.exe"
  2⤵
  - Executes dropped EXE
  PID:3244
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3244 -s 1360
    3⤵
    - Program crash
    PID:2400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3244 -ip 3244
1⤵
PID:2452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\msvcp140.dll

Filesize
9KB

MD5
1945ddb3c17fc9de5f5adc73d9ca9c43

SHA1
bf8b1f894047c7efe8c9b8a5f0a6b6b19c0acb37

SHA256
743b429dee9b576878c810fca44b8b5c73795c8bbe5e72b297a94fed0809270c

SHA512
eb3134c6d61e070b0e6431143b64f30901f90110b6b985f07344d2a07a0e46d2f39640ad54d55ee9b15979483b99ea55deb6d8ff1c8d40a8e4f57a0bd3f4ac0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrmuim.exe

Filesize
200KB

MD5
35958a7d85fc88a18f931ee14e6ec531

SHA1
087fedd2ac4fe703da8ad32957998d1dffcb728b

SHA256
73fbf9c783b7e3a941837995f1a5181eca114e8923d6cc7ffb362ea88a8d0ba3

SHA512
de7cb672507d2c2c6de27301a36507939be19231ff97c1c062e2cfda354b4e89f42570f448f8f24e3d8714d6d651b484bc36a8f4dbd53c3e6b968ef002fdb489

Download Submit
memory/3412-28-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-48-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-4-0x0000000002480000-0x00000000024BA000-memory.dmp

Filesize
232KB

Download
memory/3412-46-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-0-0x0000000074E9E000-0x0000000074E9F000-memory.dmp

Filesize
4KB

Download
memory/3412-52-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-50-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-2-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/3412-44-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-26-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-40-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-38-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-37-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-34-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-32-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-30-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-54-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-3-0x0000000004A40000-0x0000000004FE4000-memory.dmp

Filesize
5.6MB

Download
memory/3412-42-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-24-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-19-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-16-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-12-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-10-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-9-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-5-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-22-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-64-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/3412-20-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-14-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-6-0x0000000002480000-0x00000000024B3000-memory.dmp

Filesize
204KB

Download
memory/3412-66-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/3412-67-0x0000000074E90000-0x0000000075640000-memory.dmp

Filesize
7.7MB

Download
memory/3412-1-0x0000000002320000-0x000000000235A000-memory.dmp

Filesize
232KB

Download

Analysis

Sharing