General

  • Target

    e74a7c1b38edaf14a2a60d2bb59ca104_JaffaCakes118

  • Size

    1.7MB

  • Sample

    240408-mxcedaag2y

  • MD5

    e74a7c1b38edaf14a2a60d2bb59ca104

  • SHA1

    f8984716508e063d89f9ee19774f3acc6e2ae033

  • SHA256

    56a724ac5096d73999d7832f8a504e551de1e95f4117ab19c76847143dfd79c3

  • SHA512

    f749564361bec9e625b744231ce71bec84541eb3d5777f9e7f92b346b4bc2b92116226102c7f27f6e12dd2dae01d9282439acacb9fd3cdde8b14fad5d4f151fb

  • SSDEEP

    49152:56ZtW2UR1bhs/QBDpj95NnOyLjvCp8ABN9WbLOV:5KtsbhsIXjZL3nABN

Malware Config

Extracted

Family

orcus

Botnet

Minecraft

C2

anime.ddnsking.com:10136

Mutex

c144c747d74a46faa4b9df0e91ce4294

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %appdata%\Adobe\Flash Player\Runtime Broker.exe

  • reconnect_delay

    10000

  • registry_keyname

    Runtime Broker.exe

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      e74a7c1b38edaf14a2a60d2bb59ca104_JaffaCakes118

    • Size

      1.7MB

    • MD5

      e74a7c1b38edaf14a2a60d2bb59ca104

    • SHA1

      f8984716508e063d89f9ee19774f3acc6e2ae033

    • SHA256

      56a724ac5096d73999d7832f8a504e551de1e95f4117ab19c76847143dfd79c3

    • SHA512

      f749564361bec9e625b744231ce71bec84541eb3d5777f9e7f92b346b4bc2b92116226102c7f27f6e12dd2dae01d9282439acacb9fd3cdde8b14fad5d4f151fb

    • SSDEEP

      49152:56ZtW2UR1bhs/QBDpj95NnOyLjvCp8ABN9WbLOV:5KtsbhsIXjZL3nABN

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks