osiris | c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689

Analysis

max time kernel
150s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
Size

3.1MB
MD5

cc629e5d6fabb0da8f46ecb5d667113d
SHA1

ce1084782c077756fb43a1056cfcfdd80182f54e
SHA256

c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689
SHA512

c54ca9ed01b007fc4abc0d72c77253ac2d8802882841a43226764b1fd46e4a1873158d04b396c3b82381fa806abc27cfb6b7778668c656afa53afc6d7c539a4a
SSDEEP

49152:jitOd4k7ydepSSPIZDscC+QZKDVdfu315:jiK4IIZYfZKDVQF5

Score

10^/10

osiris banker botnet discovery

Malware Config

Signatures

Osiris
banker botnet osiris
Osiris family
osiris

Blocklisted process makes network request 9 IoCs

flow	pid	Process
10	2852	cmd.exe
12	2852	cmd.exe
13	2852	cmd.exe
14	2852	cmd.exe
16	2852	cmd.exe
17	2852	cmd.exe
18	2852	cmd.exe
19	2852	cmd.exe
20	2852	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1528	GetX64BTIT.exe

Loads dropped DLL 1 IoCs

pid	Process
2852	cmd.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	api.ipify.org
12	api.ipify.org

Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cms.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
1328	notepad.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe
2852	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1328	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2852	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 2380 wrote to memory of 1328	2380	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	30
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31
PID 1328 wrote to memory of 2852	1328	notepad.exe	31

C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2852
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:1528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
6c1f730c31cb4cf9befd0a13beaf70f7

SHA1
956e6276a263390305e7ababdd1c9b3bb9e2e633

SHA256
06515eb4af42a37e60ea9f28c4f3521ab3e9a9df1d3106a35a3230ddfb3a6efa

SHA512
5c1cc0bdd4b94d1576118fd9bd899ddf0d90585c8e1017ba35e7caac11d8cab0eddf4d160ba79ab8d660042d3d95312086d44a3847bf655fa96b348806af68cb

Download Submit
\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
memory/1328-7-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/1328-13-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/1328-2-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/1328-8-0x0000000004600000-0x0000000004684000-memory.dmp

Filesize
528KB

Download
memory/2380-1-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2380-5-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/2380-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2380-3-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2380-4-0x00000000007C0000-0x00000000007CA000-memory.dmp

Filesize
40KB

Download
memory/2852-20-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-17-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-12-0x0000000000090000-0x0000000000098000-memory.dmp

Filesize
32KB

Download
memory/2852-10-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-11-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-21-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-18-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-29-0x0000000010000000-0x0000000010016000-memory.dmp

Filesize
88KB

Download
memory/2852-33-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-34-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-31-0x0000000000380000-0x000000000039F000-memory.dmp

Filesize
124KB

Download
memory/2852-36-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-35-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-38-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/2852-40-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download