Analysis
-
max time kernel
133s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
07-10-2024 01:23
Static task
static1
Behavioral task
behavioral1
Sample
1ab68861cbb539af250899445e168233_JaffaCakes118.xll
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1ab68861cbb539af250899445e168233_JaffaCakes118.xll
Resource
win10v2004-20240802-en
General
-
Target
1ab68861cbb539af250899445e168233_JaffaCakes118.xll
-
Size
1.2MB
-
MD5
1ab68861cbb539af250899445e168233
-
SHA1
e4299a99e197c034b76f9415acb599c810f4f659
-
SHA256
7b05d46b12945a754e07915535b5c977078818b088ce5de1a31ff40b3c2bef61
-
SHA512
3ce1f719220f13fafb5fc07d0c8def676fd717ecf3e068088b0e0bf35b686866b0e9adc4cd051fd2990f46df5b120e365e77b93b8f6ff5863297a3fcd6a6a518
-
SSDEEP
24576:DzbGHAzHKjX1rBY4ZyrE7K3yl8PeVooA/AB2LEgpUqY/CL+elRtA3k0yy3l4VzCa:DziHILpUhxel6k0yyW094
Malware Config
Extracted
oski
himarkh.xyz
Signatures
-
Oski
Oski is an infostealer targeting browser data, crypto wallets.
-
Executes dropped EXE 2 IoCs
pid Process 3956 service.exe 1000 service.exe -
Loads dropped DLL 2 IoCs
pid Process 4484 EXCEL.EXE 4484 EXCEL.EXE -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3956 set thread context of 1000 3956 service.exe 95 -
Program crash 1 IoCs
pid pid_target Process procid_target 3152 1000 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language service.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 4484 EXCEL.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4484 EXCEL.EXE 4484 EXCEL.EXE -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE 4484 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4484 wrote to memory of 3956 4484 EXCEL.EXE 86 PID 4484 wrote to memory of 3956 4484 EXCEL.EXE 86 PID 4484 wrote to memory of 3956 4484 EXCEL.EXE 86 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95 PID 3956 wrote to memory of 1000 3956 service.exe 95
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\1ab68861cbb539af250899445e168233_JaffaCakes118.xll"1⤵
- Loads dropped DLL
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Users\Admin\AppData\Roaming\service.exe"C:\Users\Admin\AppData\Roaming\service.exe"3⤵
- Executes dropped EXE
PID:1000 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1000 -s 12964⤵
- Program crash
PID:3152
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1000 -ip 10001⤵PID:4316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51ab68861cbb539af250899445e168233
SHA1e4299a99e197c034b76f9415acb599c810f4f659
SHA2567b05d46b12945a754e07915535b5c977078818b088ce5de1a31ff40b3c2bef61
SHA5123ce1f719220f13fafb5fc07d0c8def676fd717ecf3e068088b0e0bf35b686866b0e9adc4cd051fd2990f46df5b120e365e77b93b8f6ff5863297a3fcd6a6a518
-
Filesize
12KB
MD536cadc2fa9f7938f74061fda9b126a9f
SHA15252934ac46fb3bc8fdb361880ade043070501bd
SHA256afc8ea53b3eeb62a44ce6d2b4593931d009ec00769410e76478cc88eab59d1f4
SHA512b7668575cea53280a3d553b18e1ac7670eeafab9f2d48db5d86496722e2b1d5d48a3ac3b1e56a8d7198abd771f2d95fef4449792c214dffc2097e62273e7db1f
-
Filesize
694KB
MD5fbfaade9d2adf0bd1e757f3023f75c39
SHA1660c09dc2d7a7ea2ee9654af493fc1c1c691782a
SHA25622215d10db3c10c324394a1fbe382c7d0660d2394b37672bc679ab6c6194d6bc
SHA512764b4fe68560f033aaf8275d0a06cf9c4069541c832d1f2ed76ea2b5cdf4a915e05e4e669d4424bc129e148be651b3f959d8af399026dd12cce304815708932e