orcus | be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588

Analysis

max time kernel
18s
max time network
180s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
09-01-2024 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Calculator14VGAexe.exe
Size

1.7MB
MD5

4c969f76c5c1150669e1a54cfa20ed1c
SHA1

037f9b972c732222ba259754f75868caaefd03a3
SHA256

be235c670fa83853dfdd3c668df58da88289d2a8ef44e734fbc646f27cba9588
SHA512

5246dd5f6ee9c747360431bc140779a4d316af51186c6bcc0d6d0f3bb20e633cbdee2296432fd08e4f9234089bbcb5c868e8c9d75b05b523af53c5d34cc3ea15
SSDEEP

49152:ODQxkKWUoI8cQFrqxevo2NdQNBwLPVhF6WT:j2KWUoILC3nQDwrVn6WT

Score

10^/10

orcus tg persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

10.0.2.15:6969

Mutex

a867e8d19abf423285769fa6d8e47601

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Java8update\updaterjava9.exe
reconnect_delay
10000
registry_keyname
RobloxJavaMaster
taskscheduler_taskname
Orcus
watchdog_path
AppData\RobloxUpdater04.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 7 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2828-2-0x0000000000130000-0x00000000005A4000-memory.dmp	orcus
behavioral1/memory/2168-41-0x0000000001200000-0x0000000001674000-memory.dmp	orcus
behavioral1/memory/2168-40-0x0000000001200000-0x0000000001674000-memory.dmp	orcus
behavioral1/memory/2828-44-0x0000000000130000-0x00000000005A4000-memory.dmp	orcus
behavioral1/memory/1732-64-0x0000000001200000-0x0000000001674000-memory.dmp	orcus
behavioral1/memory/1732-55-0x0000000001200000-0x0000000001674000-memory.dmp	orcus
behavioral1/memory/1732-76-0x0000000001200000-0x0000000001674000-memory.dmp	orcus

Executes dropped EXE 3 IoCs

Processes:

WindowsInput.exeWindowsInput.exeupdaterjava9.exe

pid process

2716 WindowsInput.exe
2624 WindowsInput.exe
2168 updaterjava9.exe
Loads dropped DLL 2 IoCs

Processes:

Calculator14VGAexe.exe

pid process

2828 Calculator14VGAexe.exe
2828 Calculator14VGAexe.exe

pid	process
2716	WindowsInput.exe
2624	WindowsInput.exe
2168	updaterjava9.exe

pid	process
2828	Calculator14VGAexe.exe
2828	Calculator14VGAexe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

updaterjava9.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-452311807-3713411997-1028535425-1000\Software\Microsoft\Windows\CurrentVersion\Run\RobloxJavaMaster = "\"C:\\Program Files (x86)\\Java8update\\updaterjava9.exe\""	updaterjava9.exe

Drops file in System32 directory 3 IoCs

Processes:

Calculator14VGAexe.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	Calculator14VGAexe.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	Calculator14VGAexe.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

Calculator14VGAexe.exeupdaterjava9.exe

pid process

2828 Calculator14VGAexe.exe
2168 updaterjava9.exe
2168 updaterjava9.exe

pid	process
2828	Calculator14VGAexe.exe
2168	updaterjava9.exe
2168	updaterjava9.exe

Drops file in Program Files directory 3 IoCs

Processes:

Calculator14VGAexe.exe

description	ioc	process
File created	C:\Program Files (x86)\Java8update\updaterjava9.exe	Calculator14VGAexe.exe
File opened for modification	C:\Program Files (x86)\Java8update\updaterjava9.exe	Calculator14VGAexe.exe
File created	C:\Program Files (x86)\Java8update\updaterjava9.exe.config	Calculator14VGAexe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

Calculator14VGAexe.exeupdaterjava9.exe

pid process

2828 Calculator14VGAexe.exe
2168 updaterjava9.exe

pid	process
2828	Calculator14VGAexe.exe
2168	updaterjava9.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

Calculator14VGAexe.exe

description	pid	process	target process
PID 2828 wrote to memory of 2716	2828	Calculator14VGAexe.exe	WindowsInput.exe
PID 2828 wrote to memory of 2716	2828	Calculator14VGAexe.exe	WindowsInput.exe
PID 2828 wrote to memory of 2716	2828	Calculator14VGAexe.exe	WindowsInput.exe
PID 2828 wrote to memory of 2716	2828	Calculator14VGAexe.exe	WindowsInput.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe
PID 2828 wrote to memory of 2168	2828	Calculator14VGAexe.exe	updaterjava9.exe

C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe
"C:\Users\Admin\AppData\Local\Temp\Calculator14VGAexe.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2716

C:\Program Files (x86)\Java8update\updaterjava9.exe
"C:\Program Files (x86)\Java8update\updaterjava9.exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
PID:2168

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /launchSelfAndExit "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2168 /protectFile
3⤵
PID:1764

C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
"C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe" /watchProcess "C:\Program Files (x86)\Java8update\updaterjava9.exe" 2168 "/protectFile"
4⤵
PID:564

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2624

C:\Windows\system32\taskeng.exe
taskeng.exe {B539EF4E-4B65-4330-84F7-6FBD9B9532CC} S-1-5-21-452311807-3713411997-1028535425-1000:OZEMQECW\Admin:Interactive:[1]
1⤵
PID:1884

C:\Program Files (x86)\Java8update\updaterjava9.exe
"C:\Program Files (x86)\Java8update\updaterjava9.exe"
2⤵
PID:1732

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
501KB

MD5
20fdf1beffa96d617b2e4b14d6d4ebbd

SHA1
86338fade369cae9d456f44ad984decdfddb9722

SHA256
8eacf1a84ac2fe14d210c374efbdce2b00ff5d1dbe5a710d0272999ac1dc8f68

SHA512
05176ddeb2959a969ecd808ddcf0b684e4e0eff0e74f661cf5c8c4ebea7bf102dcff2b0f9f86d2b0211f1a02d651382337b45b76204ff8ae4e5c80c0c4cc6aa7

Download Submit
C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
353KB

MD5
874202df303f602a991febc9925e5bbb

SHA1
609556f1c3f7b96bfed02776846fd11cdd8d23e3

SHA256
1b496cf6ae19560d09e55959047d3e4a04cb2c9859aea03224efcf20de331578

SHA512
81767e258b383efb911e7e0d751dd8b66865849173261e93afb25a018ee4110e07de53a7c0ff27286321d55a65d3d92abb7d04d3bc49eca2172894f3f4bfa041

Download Submit
C:\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
200KB

MD5
8417700ec3578fa0b73f356882efdfd2

SHA1
35786a26be89eb3c3761068bd724bd500dfe068a

SHA256
1140edf1cdb34a129c371639cfcc97af55cda5d50cc1dd8dbcfa668a5650da42

SHA512
16b190cf8b8491c43bd55f647b5308c5d927c99570e0b0cea563e1e36d2346dca8ccd0e8261568be9d81cd7b5b657c93df859b634eda22a634c1a9fe779894e2

Download Submit
C:\Users\Admin\AppData\Roaming\NVIDlA\err_a867e8d19abf423285769fa6d8e47601.dat
Filesize
1KB

MD5
73e5bab7da043419d9fbb9a25e81af8f

SHA1
2ddc759d3b2ec24c6319521dae54e4c1b59c54de

SHA256
59d443f8803d8e90200e90ab2ea2fcb05759117aff5cb945b8c00a37e8f47bef

SHA512
79e43d4003d82306447f3f027752d57e86a5725a1727433ef7ea1ad265e0bcd1bb2052a676fcae15d53dd36809bbad3256b4377b6da0facf42511452b13444e7

Download Submit
C:\Users\Admin\AppData\Roaming\RobloxUpdater04.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\program files (x86)\java8update\updaterjava9.exe
Filesize
147KB

MD5
69546c55bc2c9e967d2e45c0247d6a70

SHA1
db6d9594099e7687038e2f6ac40daba5ce1fd829

SHA256
6a3bb15b41b4b5d195e1273e2c483bdc3a15e228b327938d112ac33eeeeff874

SHA512
a4082019369b0e2b27bca122bf62df87baf2012394d032177c1f63541f5e764237297c052b9fb8cbb8f9765c08f4e82977be5ee27d1edfb398dd29f8a7ced328

Download Submit
\Program Files (x86)\Java8update\updaterjava9.exe
Filesize
235KB

MD5
f39e4efd6fcc8248c1cc2f69078b9c28

SHA1
3671ca05130321b28a7dbe833c17dd9777760751

SHA256
9e32072759002a881576e8d136d20f2722d956c0e0bac2c2b7e33248dbc1af9f

SHA512
3f82a896e1757e0352c2c37c4c56e5b488637af608a2615f163e4ac11b8b30c851d22e55ba78d646b8ba0fdfcf50ef74611dd717bd965a61756819512fc3e72e

Download Submit
memory/564-74-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/564-83-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-76-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/1732-69-0x0000000005530000-0x0000000005570000-memory.dmp

Filesize
256KB

Download
memory/1732-64-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/1732-52-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/1732-55-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/1732-77-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1732-56-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1764-67-0x00000000003D0000-0x00000000003D8000-memory.dmp

Filesize
32KB

Download
memory/1764-68-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1764-73-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-81-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2168-48-0x0000000002D20000-0x0000000002D6E000-memory.dmp

Filesize
312KB

Download
memory/2168-41-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/2168-43-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2168-36-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/2168-40-0x0000000001200000-0x0000000001674000-memory.dmp

Filesize
4.5MB

Download
memory/2168-58-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2168-45-0x0000000000A90000-0x0000000000AA2000-memory.dmp

Filesize
72KB

Download
memory/2168-80-0x0000000003070000-0x00000000030B0000-memory.dmp

Filesize
256KB

Download
memory/2168-39-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2168-49-0x0000000002DC0000-0x0000000002DD8000-memory.dmp

Filesize
96KB

Download
memory/2168-50-0x0000000002EF0000-0x0000000002F00000-memory.dmp

Filesize
64KB

Download
memory/2168-79-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-26-0x00000000198A0000-0x0000000019920000-memory.dmp

Filesize
512KB

Download
memory/2624-72-0x00000000198A0000-0x0000000019920000-memory.dmp

Filesize
512KB

Download
memory/2624-25-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2624-66-0x000007FEF4FE0000-0x000007FEF59CC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-20-0x000000001B400000-0x000000001B480000-memory.dmp

Filesize
512KB

Download
memory/2716-19-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2716-18-0x0000000000EF0000-0x0000000000EFC000-memory.dmp

Filesize
48KB

Download
memory/2716-23-0x000007FEF59D0000-0x000007FEF63BC000-memory.dmp

Filesize
9.9MB

Download
memory/2828-7-0x00000000023E0000-0x00000000023E8000-memory.dmp

Filesize
32KB

Download
memory/2828-0-0x0000000000130000-0x00000000005A4000-memory.dmp

Filesize
4.5MB

Download
memory/2828-42-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-44-0x0000000000130000-0x00000000005A4000-memory.dmp

Filesize
4.5MB

Download
memory/2828-8-0x00000000023F0000-0x00000000023F8000-memory.dmp

Filesize
32KB

Download
memory/2828-6-0x00000000022E0000-0x00000000022F2000-memory.dmp

Filesize
72KB

Download
memory/2828-5-0x0000000002B20000-0x0000000002B7C000-memory.dmp

Filesize
368KB

Download
memory/2828-4-0x00000000022A0000-0x00000000022AE000-memory.dmp

Filesize
56KB

Download
memory/2828-3-0x00000000055C0000-0x0000000005600000-memory.dmp

Filesize
256KB

Download
memory/2828-1-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/2828-2-0x0000000000130000-0x00000000005A4000-memory.dmp

Filesize
4.5MB

Download