oski | 9d4388563479b260352b5a5e00b5468315c27febd66b4428407f64126372306f

General

Target

JaffaCakes118_cdfbd789618943e68323a61e3f36c905.ps1
Size

363KB
MD5

cdfbd789618943e68323a61e3f36c905
SHA1

8df62d6b66925f9c091ef285e7db70703922e317
SHA256

9d4388563479b260352b5a5e00b5468315c27febd66b4428407f64126372306f
SHA512

a446c80e832c34a2c1b92af649362cccae1f558ecca8f8229c8b3738ed5c2c63c82cf5d1fde3f355231e3832fc4a9c76b006092e20182354265a9d8dc0583c5f
SSDEEP

1536:EUsNE7WNSVZF13AH5YAQIDDPK44rVL/GglenfNqYoKLE3nWNjwNxRpy1F5J7khmP:N9G

Score

10^/10

oski discovery execution infostealer

Malware Config

Extracted

Family

oski

C2

103.125.190.248/i1/

Signatures

Oski
Oski is an infostealer targeting browser data, crypto wallets.
infostealer oski
Oski family
oski

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1344 set thread context of 5092	1344	powershell.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1344	powershell.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2920	5092	WerFault.exe	86

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1344	powershell.exe
1344	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	powershell.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 3576	1344	powershell.exe	84
PID 1344 wrote to memory of 3576	1344	powershell.exe	84
PID 3576 wrote to memory of 4880	3576	csc.exe	85
PID 3576 wrote to memory of 4880	3576	csc.exe	85
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86
PID 1344 wrote to memory of 5092	1344	powershell.exe	86

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cdfbd789618943e68323a61e3f36c905.ps1
1⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bbajtj2o\bbajtj2o.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC0FE.tmp" "c:\Users\Admin\AppData\Local\Temp\bbajtj2o\CSCF1ED75A4DDD343D5ACA495FC5F2C40F9.TMP"
    3⤵
    PID:4880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5092
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5092 -s 544
    3⤵
    - Program crash
    PID:2920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5092 -ip 5092
1⤵
PID:2880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESC0FE.tmp

Filesize
1KB

MD5
752c2d503f984b8a979099ce67e4e216

SHA1
a2409da4536a3b9850313d89b454f269c93e7f40

SHA256
7c8ea0247738413c61a69b5515dd525e3acc11a6add900c58f0e9ed3653a51a0

SHA512
07bf45a974e80b0ee98e2c1268cfa2895d17ee81ff8871b8c5baf6b42e4eef00983df6915f91aa55c8de903797b0576bf53b89384c8cf6cb5815bd70626da7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kim0rgwv.lp1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbajtj2o\bbajtj2o.dll

Filesize
13KB

MD5
751d48ee99b64803a0321fb4b08782d7

SHA1
b238e017572de87909a104c647137f2bf394c02d

SHA256
81e1538bccf7ceff2b12300843d83901a6354046150e7c232d59b786d98ca3f2

SHA512
1c4d8785e30c0d1aad303c39d5bd5b363525add85c23fe6d8dec20a32cbadd09bfaf51181a26de156927be207cf2d21b355f37b32649ec74ee695ad42d3d8438

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbajtj2o\CSCF1ED75A4DDD343D5ACA495FC5F2C40F9.TMP

Filesize
652B

MD5
ae449c154f8fe74796dec14a70cee437

SHA1
b1a8646717e7a852b1e140434df71e3c8a0dd8a8

SHA256
c5028bf3be112f66b85cfb14d321e70f83a12cec8dc1b8c54fd831d3a8af144f

SHA512
bd5bb1362e7441bd64633776d4506506e7979bcea77b1d8b0dd1522fc24e0f7d8a87336e91b3cecae243a0c02c5f8be5e335c01d72eb3d8909a8700de6978f71

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbajtj2o\bbajtj2o.0.cs

Filesize
13KB

MD5
e03b1e7ba7f1a53a7e10c0fd9049f437

SHA1
3bb851a42717eeb588eb7deadfcd04c571c15f41

SHA256
3ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427

SHA512
a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bbajtj2o\bbajtj2o.cmdline

Filesize
327B

MD5
9748671d99a295fa09a9f0cdd21c1648

SHA1
ab135d4b104c8ead1c2b777a5d6a0e9df091c43f

SHA256
08b1a8104b9c0283912c0060ca52cd52fd36a3cefae0d47541fe44cebdefefd2

SHA512
645bab2d0e1b5347e55ae92f8edddcfca6becb49d9815ee89eb7aadb2e6e4f8fc9e625bd28ecd1f5552372cd3bf9b161ada4e3b5398717c31728c82fa8cc0569

Download Submit
memory/1344-12-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1344-13-0x0000015F6AC80000-0x0000015F6ACF6000-memory.dmp

Filesize
472KB

Download
memory/1344-0-0x00007FFFFE6F3000-0x00007FFFFE6F5000-memory.dmp

Filesize
8KB

Download
memory/1344-11-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/1344-1-0x0000015F6A760000-0x0000015F6A782000-memory.dmp

Filesize
136KB

Download
memory/1344-26-0x0000015F6ABE0000-0x0000015F6ABEA000-memory.dmp

Filesize
40KB

Download
memory/1344-31-0x00007FFFFE6F0000-0x00007FFFFF1B1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-28-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-32-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-35-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/5092-33-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing