orcus | 00e9648bce3965672fccf9252b9874a05fe34f8773bb1d61e167eab7aa43c272

General

Target

4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
Size

910KB
MD5

4639c5d42d0658b568a52ee9ef520de7
SHA1

f419e6ffb477d4e55cb45053740fe119dd52273f
SHA256

00e9648bce3965672fccf9252b9874a05fe34f8773bb1d61e167eab7aa43c272
SHA512

c354177657889ca14476ee7081df87504aea50698b972ee49449a7eb574ef1ee28753e189f345c2ca0a4d12db53c3950525bf0c0d5ca15b3553216e0044c2dde
SSDEEP

12288:i5STYf+qnR7Fkxh7dG1lFlWcYT70pxnnaaoawASIh4BBpGMrZNrI0AilFEvxHvBl:Chg4MROxnFp/i5rZlI0AilFEvxHiPoj

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

192.168.1.6:1604

Mutex

a8433b7251304a7b8fb63737fdd0c1d3

Attributes

autostart_method
Disable
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023379-37.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000c000000023379-37.dat	orcus
behavioral2/memory/2400-43-0x00000000001F0000-0x00000000002DA000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2400	Orcus.exe
4072	Orcus.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Orcus\Orcus.exe	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
File opened for modification	C:\Program Files\Orcus\Orcus.exe	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
File created	C:\Program Files\Orcus\Orcus.exe.config	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2400	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2400	Orcus.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2400	Orcus.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 1808	4540	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe	85
PID 4540 wrote to memory of 1808	4540	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe	85
PID 1808 wrote to memory of 1028	1808	csc.exe	87
PID 1808 wrote to memory of 1028	1808	csc.exe	87
PID 4540 wrote to memory of 2400	4540	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe	88
PID 4540 wrote to memory of 2400	4540	4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4639c5d42d0658b568a52ee9ef520de7_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yzbmtps0.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2914.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2913.tmp"
    3⤵
    PID:1028
- C:\Program Files\Orcus\Orcus.exe
  "C:\Program Files\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2400

C:\Program Files\Orcus\Orcus.exe
"C:\Program Files\Orcus\Orcus.exe"
1⤵
- Executes dropped EXE
PID:4072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Orcus\Orcus.exe

Filesize
910KB

MD5
4639c5d42d0658b568a52ee9ef520de7

SHA1
f419e6ffb477d4e55cb45053740fe119dd52273f

SHA256
00e9648bce3965672fccf9252b9874a05fe34f8773bb1d61e167eab7aa43c272

SHA512
c354177657889ca14476ee7081df87504aea50698b972ee49449a7eb574ef1ee28753e189f345c2ca0a4d12db53c3950525bf0c0d5ca15b3553216e0044c2dde

Download Submit
C:\Program Files\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES2914.tmp

Filesize
1KB

MD5
b53e1650f6a7e029edb5789b07676a85

SHA1
cc1b3634a6e2244d8731003fd566c7b7ba664f6f

SHA256
f7820cc707870b3645bc24ed23adcb739a8ccb9c8ba01fafef1c3823fbe1d188

SHA512
1657ea6b4538000aa02bf9f1c695564f3eed0f36e3bd3e274f9960b0e269ed5fe738e7e33da6b81fba391dbda1fc82b1aba6f32b9e7dc0c7b089878dda25ebee

Download Submit
C:\Users\Admin\AppData\Local\Temp\yzbmtps0.dll

Filesize
76KB

MD5
cf011ddda2229902e975d9e0d76f1102

SHA1
5c8a2864e9b1d3b019eeb8e3cb1e615a5c9d5801

SHA256
4fbd23e290ca44a156bab36485bf073e0b03ea1d626252fc5e0f4043e7844664

SHA512
e4d6f9f0c6f015b642af05b5122adbc6e2e7b0c93458cedca647534b616621b425285c1e57c8719ec5894b83e67979b0239e82e84b55ff90de9d4fb5d0309846

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC2913.tmp

Filesize
676B

MD5
bfbe12325f19d066815ee36ccfe92a25

SHA1
2a5255848986b2b76a63a4672939b9dd30d4740c

SHA256
14dacd205db658ebce35274447c77c6351eb7118fb5c839e73cff0a95b824567

SHA512
847137ef22a34b5e9bc5a3ad61339edf2e62b42f2659fa0d3a0b670836793c67d58074f4a458af94b96941f69a535e860e46c4e8695cfdbb6188d24dae3b712b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yzbmtps0.0.cs

Filesize
208KB

MD5
130d1f6f426a725fb34ffec1cfead6e5

SHA1
dc93c5d6cf58bfc1749489b7e4886b24f7d1469a

SHA256
239f182057bc8764379b0a50b00f3294c564c231080f2003b736258277a31072

SHA512
6e9f7f2dac720cabeb7fa63aa0a29b9e8822b41f35a086e46984d753afc2ff2599a0be9d64bc35b74a92dcab61cdc7f4c766cd5615f259a49f6a71b2a540a018

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yzbmtps0.cmdline

Filesize
349B

MD5
8db572164ac184a22cc2bdae653e82d8

SHA1
cc44d61ad53e446e640a2a2bdf7977abe89fb28c

SHA256
094e05ae98850622fd834596036c5fd23400b4442a9c63cba3242c2047fad8ce

SHA512
f807b428d8a458790e8f72da24325d835194842614f93623c9601989dbf84b61b5c9b1f9102d5dd27f51b7d6d09a247bbc3e97fb5757f2ace06bb1d0d1ef7e32

Download Submit
memory/1808-50-0x00007FFCC06D0000-0x00007FFCC1071000-memory.dmp

Filesize
9.6MB

Download
memory/1808-20-0x00007FFCC06D0000-0x00007FFCC1071000-memory.dmp

Filesize
9.6MB

Download
memory/2400-42-0x00007FFCBCEB3000-0x00007FFCBCEB5000-memory.dmp

Filesize
8KB

Download
memory/2400-43-0x00000000001F0000-0x00000000002DA000-memory.dmp

Filesize
936KB

Download
memory/2400-48-0x000000001B010000-0x000000001B020000-memory.dmp

Filesize
64KB

Download
memory/2400-47-0x000000001AFF0000-0x000000001B008000-memory.dmp

Filesize
96KB

Download
memory/2400-45-0x000000001AE80000-0x000000001AECE000-memory.dmp

Filesize
312KB

Download
memory/2400-44-0x00000000023F0000-0x0000000002402000-memory.dmp

Filesize
72KB

Download
memory/4540-24-0x0000000001A10000-0x0000000001A22000-memory.dmp

Filesize
72KB

Download
memory/4540-6-0x00007FFCC06D0000-0x00007FFCC1071000-memory.dmp

Filesize
9.6MB

Download
memory/4540-2-0x000000001BFF0000-0x000000001C04C000-memory.dmp

Filesize
368KB

Download
memory/4540-0-0x00007FFCC0985000-0x00007FFCC0986000-memory.dmp

Filesize
4KB

Download
memory/4540-41-0x00007FFCC06D0000-0x00007FFCC1071000-memory.dmp

Filesize
9.6MB

Download
memory/4540-25-0x00000000019F0000-0x00000000019F8000-memory.dmp

Filesize
32KB

Download
memory/4540-8-0x000000001CC30000-0x000000001CCCC000-memory.dmp

Filesize
624KB

Download
memory/4540-22-0x000000001D2F0000-0x000000001D306000-memory.dmp

Filesize
88KB

Download
memory/4540-5-0x000000001C1E0000-0x000000001C1EE000-memory.dmp

Filesize
56KB

Download
memory/4540-7-0x000000001C6C0000-0x000000001CB8E000-memory.dmp

Filesize
4.8MB

Download
memory/4540-1-0x00007FFCC06D0000-0x00007FFCC1071000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing