General
-
Target
e74a7c1b38edaf14a2a60d2bb59ca104_JaffaCakes118
-
Size
1.7MB
-
Sample
240408-mxcedaag2y
-
MD5
e74a7c1b38edaf14a2a60d2bb59ca104
-
SHA1
f8984716508e063d89f9ee19774f3acc6e2ae033
-
SHA256
56a724ac5096d73999d7832f8a504e551de1e95f4117ab19c76847143dfd79c3
-
SHA512
f749564361bec9e625b744231ce71bec84541eb3d5777f9e7f92b346b4bc2b92116226102c7f27f6e12dd2dae01d9282439acacb9fd3cdde8b14fad5d4f151fb
-
SSDEEP
49152:56ZtW2UR1bhs/QBDpj95NnOyLjvCp8ABN9WbLOV:5KtsbhsIXjZL3nABN
Static task
static1
Behavioral task
behavioral1
Sample
e74a7c1b38edaf14a2a60d2bb59ca104_JaffaCakes118.exe
Resource
win7-20240215-en
Malware Config
Extracted
orcus
Minecraft
anime.ddnsking.com:10136
c144c747d74a46faa4b9df0e91ce4294
-
autostart_method
Registry
-
enable_keylogger
false
-
install_path
%appdata%\Adobe\Flash Player\Runtime Broker.exe
-
reconnect_delay
10000
-
registry_keyname
Runtime Broker.exe
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
e74a7c1b38edaf14a2a60d2bb59ca104_JaffaCakes118
-
Size
1.7MB
-
MD5
e74a7c1b38edaf14a2a60d2bb59ca104
-
SHA1
f8984716508e063d89f9ee19774f3acc6e2ae033
-
SHA256
56a724ac5096d73999d7832f8a504e551de1e95f4117ab19c76847143dfd79c3
-
SHA512
f749564361bec9e625b744231ce71bec84541eb3d5777f9e7f92b346b4bc2b92116226102c7f27f6e12dd2dae01d9282439acacb9fd3cdde8b14fad5d4f151fb
-
SSDEEP
49152:56ZtW2UR1bhs/QBDpj95NnOyLjvCp8ABN9WbLOV:5KtsbhsIXjZL3nABN
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-