orcus | 16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe
Size

1.3MB
MD5

2ff47e23344149f6b3b458259467d324
SHA1

445166148c135adc96fb0ae6010f0df05844b6ad
SHA256

16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf
SHA512

680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a
SSDEEP

24576:TQZb8VCr3+EgexOnNNwiWgpacSpC19qo8Xf+b:W8auGSbwiWgAcSMv8mb

Score

10^/10

orcus desk021320 rat spyware stealer upx

Malware Config

Extracted

Family

orcus

Botnet

DESK021320

dailyupdates.theworkpc.com:9030

Mutex

0f2edf0cec8246d2a8b4bec33606ed52

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral2/memory/1256-34-0x0000000000400000-0x00000000005DE000-memory.dmp	orcus
behavioral2/memory/1256-33-0x0000000000D30000-0x0000000000E18000-memory.dmp	orcus
behavioral2/memory/1256-29-0x0000000000400000-0x00000000005DE000-memory.dmp	orcus
behavioral2/memory/1256-32-0x0000000000D30000-0x0000000000E18000-memory.dmp	orcus
behavioral2/memory/1256-64-0x0000000000400000-0x00000000005DE000-memory.dmp	orcus

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GvFndnBatchX2.vbs	notepad.exe

Executes dropped EXE 3 IoCs

pid	Process
2912	GvFndnBatchX2.exe
1256	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1256-30-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1256-34-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1256-29-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1256-28-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral2/memory/1256-25-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	GvFndnBatchX2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	GvFndnBatchX2.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2912 set thread context of 1256	2912	GvFndnBatchX2.exe	101

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	GvFndnBatchX2.exe
File created	C:\Windows\assembly\Desktop.ini	GvFndnBatchX2.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	GvFndnBatchX2.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe:ZoneIdentifier	notepad.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe
4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe
2912	GvFndnBatchX2.exe
2912	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe
1624	GvFndnBatchX2.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2912	GvFndnBatchX2.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1256	GvFndnBatchX2.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	GvFndnBatchX2.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4392 wrote to memory of 3436	4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe	98
PID 4392 wrote to memory of 3436	4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe	98
PID 4392 wrote to memory of 3436	4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe	98
PID 4392 wrote to memory of 3436	4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe	98
PID 4392 wrote to memory of 3436	4392	2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe	98
PID 3436 wrote to memory of 2912	3436	notepad.exe	99
PID 3436 wrote to memory of 2912	3436	notepad.exe	99
PID 3436 wrote to memory of 2912	3436	notepad.exe	99
PID 2912 wrote to memory of 1256	2912	GvFndnBatchX2.exe	101
PID 2912 wrote to memory of 1256	2912	GvFndnBatchX2.exe	101
PID 2912 wrote to memory of 1256	2912	GvFndnBatchX2.exe	101
PID 2912 wrote to memory of 1624	2912	GvFndnBatchX2.exe	102
PID 2912 wrote to memory of 1624	2912	GvFndnBatchX2.exe	102
PID 2912 wrote to memory of 1624	2912	GvFndnBatchX2.exe	102
PID 1256 wrote to memory of 4212	1256	GvFndnBatchX2.exe	103
PID 1256 wrote to memory of 4212	1256	GvFndnBatchX2.exe	103
PID 1256 wrote to memory of 4212	1256	GvFndnBatchX2.exe	103
PID 4212 wrote to memory of 3760	4212	csc.exe	105
PID 4212 wrote to memory of 3760	4212	csc.exe	105
PID 4212 wrote to memory of 3760	4212	csc.exe	105

C:\Users\Admin\AppData\Local\Temp\2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2ff47e23344149f6b3b458259467d324_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Windows\SysWOW64\notepad.exe
  "C:\Windows\system32\notepad.exe"
  2⤵
  - Drops startup file
  - NTFS ADS
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
    "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
      "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1256
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7uxtgact.cmdline"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4212
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9353.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9352.tmp"
        6⤵
        
        PID:3760
  - - C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe
      "C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe" 2 1256 240685015
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:1624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7uxtgact.dll

Filesize
76KB

MD5
3bee1769cce9941345d5132178eea878

SHA1
dece32c2ebdacf610b50eedd26f73d339c7e7cd4

SHA256
0812cd5d04068a28b73cf2689f2b128d240e43d1874d15a070e31b238419f261

SHA512
343a34e117eb5f13eafa8601e81c0cdbe7d5a648bffcba8e0024b9788c405125f6d1649fa441cbd8c595bd6bac5e65c262d1109223ee1aa2a0e6920484ba172b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9353.tmp

Filesize
1KB

MD5
cfc78376448dc820ecf9f150e12c5e25

SHA1
7362893cdba078cdf962283fbbec6e03bab93fb1

SHA256
cd88a1875d0f77007027bc2e44997235b60873f73c32bcf309f872347537ed19

SHA512
50c3d9cfdeb39dcdbbc3aa6bf2de98ce3b74325fd6ca8a9d67e1f31e05c99bff3f20bc21aac627b5968be55912951a1208739ed000d64a49cb073ae1c99ef642

Download Submit
C:\Users\Admin\AppData\Roaming\GvFndnBatchX2\GvFndnBatchX2.exe

Filesize
1.3MB

MD5
2ff47e23344149f6b3b458259467d324

SHA1
445166148c135adc96fb0ae6010f0df05844b6ad

SHA256
16cbf284ad8ba39cd8660caf5c96b659da01c48d227faa9c0b19ab73877b93bf

SHA512
680e6d5b1f179709942e3341bb369c54344ccde058d55f0a6461c42cdc3937444351bda55dea9537a85a59000e7e5d48f58512411c63f89bf9b9936635197b3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7uxtgact.0.cs

Filesize
208KB

MD5
cf0d049d0a67ab30cc572d17af4ae806

SHA1
6836637ec912c617a35627798d5257a2ce8c5652

SHA256
2ac28af9172e2f90be79dd13fb7981f6fad42979d429155184dba144689485aa

SHA512
94977a09df010ae862efd890f76a0dacb97b4e10aedf0d776e82448866a3f30bafc3a74899333095ba27e50f3d25a5212d9631d64a50fbb8361872469969f303

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7uxtgact.cmdline

Filesize
347B

MD5
6533fbf65538b964327e102fedf2d9e7

SHA1
3e52d1e19964a041580acf94e7618a327b2a2998

SHA256
4173f0048b142f8cfb2a5664c82e6cf9d8ce3cd061e62e0359c3e8791acb88b8

SHA512
c2da43a8a5bd04d395859dc82ede0c32a9f24e88134f07e8140698ac52fea436702feb2e782ef8a4d19a1909bc26c2f7f6087c03c64ac269f6b0a226a172bc8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9352.tmp

Filesize
676B

MD5
6ca2598b2c1459c412700f4c8983579f

SHA1
9b71a08215723450319078679b91413beafea5ed

SHA256
1fb06e609ea00ad542b83c8f4d384d6137eca90ffeb460b80039ea625cab10ea

SHA512
18fa033261e45b100062db0815ed5e60ae31aff238cedc88afd939fdb33269ab756fd5e5115f09312d719f82a7e5cf58dde47ef8351070f46c22df1b0c4285ba

Download Submit
memory/1256-34-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-32-0x0000000000D30000-0x0000000000E18000-memory.dmp

Filesize
928KB

Download
memory/1256-64-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-28-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-30-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-29-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1256-33-0x0000000000D30000-0x0000000000E18000-memory.dmp

Filesize
928KB

Download
memory/1624-65-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2912-21-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/2912-20-0x0000000002380000-0x0000000002381000-memory.dmp

Filesize
4KB

Download
memory/2912-17-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3436-10-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/4392-0-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4392-6-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4392-4-0x0000000000400000-0x0000000000559000-memory.dmp

Filesize
1.3MB

Download
memory/4392-3-0x0000000002570000-0x0000000002571000-memory.dmp

Filesize
4KB

Download
memory/4392-2-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download
memory/4392-1-0x0000000002550000-0x0000000002562000-memory.dmp

Filesize
72KB

Download