osiris | 9b85558890e3d294391a7cb297da5708910ce6ed1ce530c2e801db206c8022e6

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-08-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
Size

434KB
MD5

bbb9ac08df8194bde9ce1f5b53566112
SHA1

5806ce0fac4ec6b2d495f5e42ff9e38b32394daa
SHA256

9b85558890e3d294391a7cb297da5708910ce6ed1ce530c2e801db206c8022e6
SHA512

30ee0c884c921875f976196bc4aa358ff3732d380fc24749e2a30a8a67bd88661851932b7ac154a33eec0bed03063928fbe18fbd5e31d879811370e6f31737cb
SSDEEP

12288:rXPcLcbGfVylwG/ZDCK/ScBXo8TsyMkKMY8m7WOK9SATTsx/SA/WegYfdNbrqnus:rXh6XcBXo8TsL8Y8m/ATTySA/DrfdNb+

Score

10^/10

osiris banker botnet discovery

Malware Config

Signatures

Osiris
banker botnet osiris

Executes dropped EXE 1 IoCs

pid	Process
1000	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
35	api.ipify.org
36	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3960 wrote to memory of 1000	3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe	87
PID 3960 wrote to memory of 1000	3960	bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe	87

C:\Users\Admin\AppData\Local\Temp\bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbb9ac08df8194bde9ce1f5b53566112_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3960
- C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
  "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
  2⤵
  - Executes dropped EXE
  PID:1000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
6aef8c295ca331715c9b60bb328392d7

SHA1
06858f1ebac52976fc5798d0c77b440147596e97

SHA256
ad839bfb835d02f02c5c8d169f762b753b1a714a53b7faef3d0e91c0d1d07d04

SHA512
003c3327e417777c09ce3e27104ff11e60451a4330efc58195dbf7d43c80048c811c1df07b17efb13c960fdb8e5698d3146ffe363ca84672999b75f1f4c5f206

Download Submit