osiris | c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689

Analysis

max time kernel
150s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
Size

3.1MB
MD5

cc629e5d6fabb0da8f46ecb5d667113d
SHA1

ce1084782c077756fb43a1056cfcfdd80182f54e
SHA256

c0503c54556ba129ef04f224cec3c985e7d17f7e39a4574cbd553a67902ec689
SHA512

c54ca9ed01b007fc4abc0d72c77253ac2d8802882841a43226764b1fd46e4a1873158d04b396c3b82381fa806abc27cfb6b7778668c656afa53afc6d7c539a4a
SSDEEP

49152:jitOd4k7ydepSSPIZDscC+QZKDVdfu315:jiK4IIZYfZKDVQF5

Score

10^/10

osiris banker botnet discovery

Malware Config

Signatures

Osiris
banker botnet osiris
Osiris family
osiris

Blocklisted process makes network request 8 IoCs

flow	pid	Process
39	232	cmd.exe
43	232	cmd.exe
44	232	cmd.exe
46	232	cmd.exe
47	232	cmd.exe
55	232	cmd.exe
56	232	cmd.exe
58	232	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
1480	GetX64BTIT.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
45	api.ipify.org
46	api.ipify.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cms.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
3924	notepad.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe
232	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3924	notepad.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
232	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83
PID 3192 wrote to memory of 3924	3192	cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\cc629e5d6fabb0da8f46ecb5d667113d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:232
  - - C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe
      "C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe"
      4⤵
      Executes dropped EXE
      PID:1480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\GetX64BTIT.exe

Filesize
3KB

MD5
b4cd27f2b37665f51eb9fe685ec1d373

SHA1
7f08febf0fdb7fc9f8bf35a10fb11e7de431abe0

SHA256
91f1023142b7babf6ff75dad984c2a35bde61dc9e61f45483f4b65008576d581

SHA512
e025f65224d78f5fd0abebe281ac0d44a385b2641e367cf39eed6aefada20a112ac47f94d7febc4424f1db6a6947bac16ff83ef93a8d745b3cddfdbe64c49a1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\x64btit.txt

Filesize
28B

MD5
903010bd06295937443ecc0f621bce21

SHA1
2185236ffae50e2cb9491aa989ab485403cc620c

SHA256
3fe05549e06d2ef906a8f8fdea424f49a1ff5fc79d6330c09c5890272ee4d7d8

SHA512
37e6fe1615a4ca8dd55ecc7276585a6d8ed0e9f295f5464851f9bc662573ebd31d5515918cb44f6651a06f0ecd8487cbf11b2f8ea20b391020c686a79c7fc5ad

Download Submit
memory/232-16-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-27-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-9-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-26-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-15-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-17-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-18-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/232-19-0x0000000000400000-0x000000000049F000-memory.dmp

Filesize
636KB

Download
memory/3192-1-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/3192-4-0x0000000000D80000-0x0000000000D8A000-memory.dmp

Filesize
40KB

Download
memory/3192-5-0x0000000000400000-0x0000000000738000-memory.dmp

Filesize
3.2MB

Download
memory/3192-3-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3192-0-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/3924-8-0x0000000005220000-0x00000000052A4000-memory.dmp

Filesize
528KB

Download
memory/3924-2-0x00000000010A0000-0x00000000010A2000-memory.dmp

Filesize
8KB

Download
memory/3924-11-0x0000000005220000-0x00000000052A4000-memory.dmp

Filesize
528KB

Download
memory/3924-7-0x0000000002BF0000-0x0000000002BF8000-memory.dmp

Filesize
32KB

Download