orcus | 47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118

General

Target

467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
Size

906KB
MD5

467128cff34d0311c71360b284cf0486
SHA1

50b04b134ddcc8303b12f7b419e663c33c5db7d2
SHA256

47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118
SHA512

28c69f129a0aed63f24beeec216828ba0d2c13939d25d52d605ffae9ec427bb39a765bc4bf2ed8fa15535ad9d730cd9ea6e53e0a28b90eb62991fbb3930235d3
SSDEEP

12288:3y50ed4UM7571j87dG1lFlWcYT70pxnnaaoawljKgRRAGrZNrI0AilFEvxHvBMPa:rp44MROxnFhgH5rZlI0AilFEvxHiPzO

Score

10^/10

orcus group a persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Group A

C2

kisliycorporait.hopto.org:10134

Mutex

31e1a251228e41c2a660a8dae6e53a62

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Local\windll.exe
reconnect_delay
10000
registry_keyname
Windows Securty Advice
taskscheduler_taskname
Deintrep
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133b9-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x000c0000000133b9-27.dat	orcus
behavioral1/memory/2692-31-0x0000000000D00000-0x0000000000DE8000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2692	windll.exe
2732	windll.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Securty Advice = "\"C:\\Program Files\\Local\\windll.exe\""	windll.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Local\windll.exe	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Local\windll.exe	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File created	C:\Program Files\Local\windll.exe.config	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	windll.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 3056	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3056	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	28
PID 2028 wrote to memory of 3056	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	28
PID 3056 wrote to memory of 2292	3056	csc.exe	30
PID 3056 wrote to memory of 2292	3056	csc.exe	30
PID 3056 wrote to memory of 2292	3056	csc.exe	30
PID 2028 wrote to memory of 2692	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2692	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	31
PID 2028 wrote to memory of 2692	2028	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	31
PID 2348 wrote to memory of 2732	2348	taskeng.exe	33
PID 2348 wrote to memory of 2732	2348	taskeng.exe	33
PID 2348 wrote to memory of 2732	2348	taskeng.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\467128cff34d0311c71360b284cf0486_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lnnn2lon.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7FC.tmp"
    3⤵
    PID:2292
- C:\Program Files\Local\windll.exe
  "C:\Program Files\Local\windll.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {65229A2C-55FB-440E-B450-85D93D774986} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Program Files\Local\windll.exe
  "C:\Program Files\Local\windll.exe"
  2⤵
  - Executes dropped EXE
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Local\windll.exe

Filesize
906KB

MD5
467128cff34d0311c71360b284cf0486

SHA1
50b04b134ddcc8303b12f7b419e663c33c5db7d2

SHA256
47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118

SHA512
28c69f129a0aed63f24beeec216828ba0d2c13939d25d52d605ffae9ec427bb39a765bc4bf2ed8fa15535ad9d730cd9ea6e53e0a28b90eb62991fbb3930235d3

Download Submit
C:\Program Files\Local\windll.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES80D.tmp

Filesize
1KB

MD5
5520099a4041be1681944a24f2cab3b2

SHA1
5fed66674206d8b406157ae30998a5837031b78a

SHA256
44548eb7e6887639bebfe1552f6d4fd122243309e488ee579984748099e1248e

SHA512
edb1b0c6176b34dcf7c0eab7fa058d8335850d61c463efa818046a392ab20786b7550c9b78c6aa5be743bd1fa01553d2d7614077b2354b2b76330956582fef79

Download Submit
C:\Users\Admin\AppData\Local\Temp\lnnn2lon.dll

Filesize
76KB

MD5
341396159136f37335114e890bfe7ad9

SHA1
7161b22b469be4b369c5f2de375dbb70e98fcbde

SHA256
173f61ff2158d0908cae4cd99ae03e535556fb314862ceb8f5abc72cd888f72a

SHA512
a08e5855f375c63f0abe707e8b7862d9841e289a2c5111c52b12a54cc95f3ed774dfe8ff9099ddcf76bc189464d3bc00cf330698e5522ea8a13d685892bd80fe

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC7FC.tmp

Filesize
676B

MD5
1e2aaa5c44abf41289706cb88792f9d1

SHA1
dc75506e0a32610b6f7b29c0ec16342f204f5f7d

SHA256
21817a5bd7ac57d3477e6a025b6ecc6e9dad81f8e5a0c0a21896f6af969cfbba

SHA512
29857e4bb0c5e3a987ed0ae101f79550bec45f610c98200d766f34f042bb467de4c14e783d9f41f08ec195d574484ea036eff9637be05bbf0fdab36f6c038251

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lnnn2lon.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lnnn2lon.cmdline

Filesize
349B

MD5
11ae2ef136eb395f1d0c26c7feb2bbcf

SHA1
c86179cd1a9893a7f3ae6b60f231d0e627923405

SHA256
779ff6cd55e93d8cc26524b927e67dda7ffb36cf39b8bd45a99a48169cfd79e8

SHA512
c9be37611a71e7b27809c8f7f65bad4fa4413372410ea47e712430aefbf08653373ab6a744eaafe998ca9fbfb25bea9d6a1217894f90606b0c2d12b73946e4b9

Download Submit
memory/2028-29-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-17-0x0000000000BD0000-0x0000000000BE6000-memory.dmp

Filesize
88KB

Download
memory/2028-3-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-0-0x000007FEF5A8E000-0x000007FEF5A8F000-memory.dmp

Filesize
4KB

Download
memory/2028-4-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/2028-21-0x0000000000740000-0x0000000000748000-memory.dmp

Filesize
32KB

Download
memory/2028-20-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2028-1-0x0000000000E80000-0x0000000000EDC000-memory.dmp

Filesize
368KB

Download
memory/2028-2-0x0000000000500000-0x000000000050E000-memory.dmp

Filesize
56KB

Download
memory/2692-32-0x0000000000480000-0x0000000000492000-memory.dmp

Filesize
72KB

Download
memory/2692-31-0x0000000000D00000-0x0000000000DE8000-memory.dmp

Filesize
928KB

Download
memory/2692-33-0x00000000006C0000-0x000000000070E000-memory.dmp

Filesize
312KB

Download
memory/2692-34-0x00000000021F0000-0x0000000002208000-memory.dmp

Filesize
96KB

Download
memory/2692-35-0x0000000000CF0000-0x0000000000D00000-memory.dmp

Filesize
64KB

Download
memory/3056-19-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download
memory/3056-37-0x000007FEF57D0000-0x000007FEF616D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads