orcus | 046fa33ef56688e34c5aa9dbaf8b673cbec5fbc2712196674403dfafd9f700ef

Analysis

max time kernel
151s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12-05-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
Size

2.6MB
MD5

39628f6572e6bf8683a71f66014933a5
SHA1

b4641f32159cb0de61e077566e027707b8429569
SHA256

046fa33ef56688e34c5aa9dbaf8b673cbec5fbc2712196674403dfafd9f700ef
SHA512

56c30c2f86d7b08aae9bd96e93e7305a2c26b90749fd7110315ff86370a2dd0f3352be1b2b1e715d6cbdb6d9364016dacdbcf9b1d18b7c5ce523d2dfa3b34e70
SSDEEP

24576:I4KxV8f6044+c12Ny3tMDI0l+GjMZijmcpjjjjQnOjWLghlKh6w34kcCSC9Bzv85:6E9euqNScU+vPtSRotkDWef/Dbyp

Score

10^/10

orcus persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

192.168.1.135:2410

Mutex

7fa2f818413f42a2990b40d91a249534

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/1256-7-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SystemManager = "C:\\Users\\Admin\\SystemManager.exe"	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3672 set thread context of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
Token: SeDebugPrivilege	1256	RegAsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1256	RegAsm.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91
PID 3672 wrote to memory of 1256	3672	39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe	91

C:\Users\Admin\AppData\Local\Temp\39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\39628f6572e6bf8683a71f66014933a5_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3644 --field-trial-handle=3084,i,4016110471176367543,14287608422419064331,262144 --variations-seed-version /prefetch:8
1⤵
PID:4692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-16-0x00000000061C0000-0x0000000006382000-memory.dmp

Filesize
1.8MB

Download
memory/1256-17-0x00000000057F0000-0x0000000005800000-memory.dmp

Filesize
64KB

Download
memory/1256-11-0x0000000005160000-0x00000000051BC000-memory.dmp

Filesize
368KB

Download
memory/1256-13-0x0000000005330000-0x00000000053C2000-memory.dmp

Filesize
584KB

Download
memory/1256-12-0x0000000005840000-0x0000000005DE4000-memory.dmp

Filesize
5.6MB

Download
memory/1256-21-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1256-7-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1256-8-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1256-9-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/1256-10-0x0000000002A80000-0x0000000002A8E000-memory.dmp

Filesize
56KB

Download
memory/1256-18-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/1256-15-0x0000000005750000-0x0000000005768000-memory.dmp

Filesize
96KB

Download
memory/1256-14-0x0000000005310000-0x0000000005322000-memory.dmp

Filesize
72KB

Download
memory/3672-3-0x0000000006DF0000-0x0000000006EEA000-memory.dmp

Filesize
1000KB

Download
memory/3672-4-0x0000000005A90000-0x0000000005AA4000-memory.dmp

Filesize
80KB

Download
memory/3672-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3672-1-0x0000000000ED0000-0x0000000001168000-memory.dmp

Filesize
2.6MB

Download
memory/3672-2-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3672-19-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/3672-20-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/3672-6-0x0000000006F90000-0x000000000702C000-memory.dmp

Filesize
624KB

Download