Overview

overview

10

Static

static

1

2ff47e2334...18.exe

windows7-x64

10

2ff47e2334...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    10-05-2024 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    2ff47e23344149f6b3b458259467d324

  • SHA1

    445166148c135adc96fb0ae6010f0df05844b6ad

  • SHA256

    16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf

  • SHA512

    680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a

  • SSDEEP

    24576:TQZb8VCr3+EgexOnNNwiWgpacSpC19qo8Xf+b:W8auGSbwiWgAcSMv8mb

Score
10/10
orcusdesk021320ratspywarestealerupx

Malware Config

Extracted

Family

orcus

Botnet

DESK021320

C2

dailyupdates.theworkpc.com:9030

Mutex

0f2edf0cec8246d2a8b4bec33606ed52

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Orcurs Rat Executable 6 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Suspicious use of SetThreadContext 1 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\system32\notepad.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • NTFS ADS
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
        "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
          "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1488
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jtfufnzt.cmdline"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:896
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5301.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5300.tmp"
              6⤵
                PID:1828
          • C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
            "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe" 2 1488 259477648
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            PID:2484

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\RES5301.tmp
      Filesize

      1KB

      MD5

      60d29f16c2b6dd9732c6a8c1dc65020e

      SHA1

      44aaf568a74de7f5d65f174f0256a0dd8558cd03

      SHA256

      9c06fa26fb22b0a22763ed1918fd926a3ce747d7b89710a5315ccfb50ebbe322

      SHA512

      f0160cdf7e691e2eac388cb0d28766ef8b507d696f50f81a98734e17902bd2a9a9396511b94e5f426d2b96630d1b1aedba600f116187d2169a52f24b32828c4a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jtfufnzt.dll
      Filesize

      76KB

      MD5

      d797b1edcbeda287386d10372797fa66

      SHA1

      5da29e74629d867d596517f1eb03790b4b40d655

      SHA256

      35a0ddafaebf1837c5a8863fcb217967de1a5f0a4b1a53a32d301daf0f1f9e95

      SHA512

      390eca29538ae1870b570c223361be81fa07f5b18ff12cb38d5daf6c859b25217175ba7fe5a625d26ec4688d6789d0273f96be35c7528771a496ab28f5213d66

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC5300.tmp
      Filesize

      676B

      MD5

      bab496dbddd3c1b583a1a02270278707

      SHA1

      cac40c20f1f1864ffc8543a5e14e802d28cf5b4a

      SHA256

      35893b347bac614e1dc9981c94b580e4a0aaa60668336df998bf2239af623655

      SHA512

      738e0f371fce4a7ff95073c979fe58105ac36cdc73997d464f163a14b17d3aa56178da5960d787250067104250c60be5d384bbcbf93044715afff42402ed2f23

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jtfufnzt.0.cs
      Filesize

      208KB

      MD5

      1bf1fe5f26b818dcb4d177bd8b3e6a02

      SHA1

      9c129a08c0cdb432bba2db3a03cac925d27c5960

      SHA256

      d3a03dc868950f4ec2af893f8f2e3a889c14babf16da7fc579fe59a434f269af

      SHA512

      e4166f9c5e54c4c58205fce5b9ca164151883d954de6aa01d916a4833cf62f8ad22b029260f286535eb3831ef57111a909933a3db09e487e5f1aa8a781e33356

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jtfufnzt.cmdline
      Filesize

      347B

      MD5

      fd03640d2673dc4722820175f6834dea

      SHA1

      79ef4ee99f152c75009e00667b663efc5012c18a

      SHA256

      cbd812f491ce33b799ecb08c7a32c21f3fc2c36505578e96fe3964ea4c8365ae

      SHA512

      acbca3994b41614d0805094207d2a528f81be84ef1085394352b1b633eb14f86abc33b39488106e9c0b5059709ecdf883ce47a13fef71465e97df12ed4de5ffe

      Download Submit

    • \Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
      Filesize

      1.3MB

      MD5

      2ff47e23344149f6b3b458259467d324

      SHA1

      445166148c135adc96fb0ae6010f0df05844b6ad

      SHA256

      16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf

      SHA512

      680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a

      Download Submit

    • memory/1488-36-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1488-39-0x0000000002110000-0x00000000021F8000-memory.dmp

      Filesize

      928KB

      Download

    • memory/1488-66-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1488-33-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1488-38-0x0000000002110000-0x00000000021F8000-memory.dmp

      Filesize

      928KB

      Download

    • memory/1488-40-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1488-34-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/1488-30-0x0000000000400000-0x00000000005DE000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2268-6-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-0-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-4-0x0000000000400000-0x0000000000559000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2268-3-0x0000000000710000-0x0000000000711000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2268-2-0x0000000000660000-0x0000000000672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2268-1-0x0000000000660000-0x0000000000672000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2484-67-0x0000000000400000-0x0000000000559000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2572-11-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2572-8-0x00000000000C0000-0x00000000000C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2736-26-0x0000000000400000-0x0000000000559000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2736-25-0x0000000001E20000-0x0000000001E21000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2736-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

      Filesize

      4KB

      Download