orcus | 47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118

General

Target

467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
Size

906KB
MD5

467128cff34d0311c71360b284cf0486
SHA1

50b04b134ddcc8303b12f7b419e663c33c5db7d2
SHA256

47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118
SHA512

28c69f129a0aed63f24beeec216828ba0d2c13939d25d52d605ffae9ec427bb39a765bc4bf2ed8fa15535ad9d730cd9ea6e53e0a28b90eb62991fbb3930235d3
SSDEEP

12288:3y50ed4UM7571j87dG1lFlWcYT70pxnnaaoawljKgRRAGrZNrI0AilFEvxHvBMPa:rp44MROxnFhgH5rZlI0AilFEvxHiPzO

Score

10^/10

orcus group a persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

Group A

C2

kisliycorporait.hopto.org:10134

Mutex

31e1a251228e41c2a660a8dae6e53a62

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Local\windll.exe
reconnect_delay
10000
registry_keyname
Windows Securty Advice
taskscheduler_taskname
Deintrep
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000900000002342e-32.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000900000002342e-32.dat	orcus
behavioral2/memory/2472-44-0x0000000000050000-0x0000000000138000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2472	windll.exe
3824	windll.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Securty Advice = "\"C:\\Program Files\\Local\\windll.exe\""	windll.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Local\windll.exe.config	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File created	C:\Program Files\Local\windll.exe	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File opened for modification	C:\Program Files\Local\windll.exe	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	windll.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3648 wrote to memory of 3340	3648	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	84
PID 3648 wrote to memory of 3340	3648	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	84
PID 3340 wrote to memory of 2484	3340	csc.exe	86
PID 3340 wrote to memory of 2484	3340	csc.exe	86
PID 3648 wrote to memory of 2472	3648	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	87
PID 3648 wrote to memory of 2472	3648	467128cff34d0311c71360b284cf0486_JaffaCakes118.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\467128cff34d0311c71360b284cf0486_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\467128cff34d0311c71360b284cf0486_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3648
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8a1eh-6c.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6969.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6968.tmp"
    3⤵
    PID:2484
- C:\Program Files\Local\windll.exe
  "C:\Program Files\Local\windll.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

C:\Program Files\Local\windll.exe
"C:\Program Files\Local\windll.exe"
1⤵
- Executes dropped EXE
PID:3824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Local\windll.exe

Filesize
906KB

MD5
467128cff34d0311c71360b284cf0486

SHA1
50b04b134ddcc8303b12f7b419e663c33c5db7d2

SHA256
47dc5ab7882d6560174747144f9ef09c0b66c2a2e94d56337a0a30acbee34118

SHA512
28c69f129a0aed63f24beeec216828ba0d2c13939d25d52d605ffae9ec427bb39a765bc4bf2ed8fa15535ad9d730cd9ea6e53e0a28b90eb62991fbb3930235d3

Download Submit
C:\Program Files\Local\windll.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\8a1eh-6c.dll

Filesize
76KB

MD5
4dc5c2c08bc189586bfa8e1271a4227e

SHA1
86f4e6034afdcd949e34fffdf6ec5e2c600a4013

SHA256
6cfef21122cd455dc3c0785e1f1f6250526c7ee499f07ce6da32dc3afc548cbd

SHA512
a9aa62d8676b72e4410269dc663c1d1a11c16ff0170c826a8fa1531bf4d30995cabf46f32175f506f9c82f202b40cf4f1fa0017baa68e3722e28ff0414300320

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6969.tmp

Filesize
1KB

MD5
a4302ca8bf7dfc62bbeac7a8cf49881c

SHA1
d696119d4cf1afafeb7245a962c95e4945fe6028

SHA256
5a49c124f674f9a60ebd26cc45d113bcf1fcf83e50cb2897e8ac316a68dd74e3

SHA512
05a8e082f2ea4b7356aec275bdbf1695269d609d486956eb7c4bbde30f4885276b48da07c3c35db353b7c6a8432c3f876f0d0bf7d07d989f6f7817f191ea9718

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8a1eh-6c.0.cs

Filesize
208KB

MD5
5b5856c118a69547f65f8da332ace264

SHA1
0ac349d500dbed4a68577c55952382c4f6dfa214

SHA256
ff58560b49ba5ca13a96cae312d4a46b60dc41835950e33a60c5a679f5945e2a

SHA512
6603bf6723c59e8ac314fff8c5f1bd75158c89ce30a120ddbdc4654e85f63430915f44ba7fa0abdf1a23dd39546a4cd391dd44959397a28aaf3a206f130805a7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8a1eh-6c.cmdline

Filesize
349B

MD5
e1b8b4b1a176742e41b4a1fceb498930

SHA1
e50e481adf707f3d7abd2c1a9a88b2566408c38c

SHA256
2a56e5ed7cb996ceaabfab33e3525434774ff02234af8575fd6cef02152f2224

SHA512
8faeed4693f04c008f4087c94fbbc484c3f018e8d79cd932ecd531ff8fd9a1c9ac1ced8f822c4426bb9edd6170e299a6fd0bf98a8db8bd4c5fe3b3399b66fde1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6968.tmp

Filesize
676B

MD5
2db9b569ea8622fe59bf0f38abbcef56

SHA1
316463a476483d8f71661024bb1aa28b467000f4

SHA256
4a5723bbc0331ad96be07c381c33840cbf2ea0ed299fc616ee5a76714f659865

SHA512
5fa3cb289f985d5909877fdc12aee52d383f5547b9d448731a8494777ebcd3a1c925bc5dceb774ef57308e0188c4e39950eb1ae9f22c039565c5d9052217d4c9

Download Submit
memory/2472-46-0x000000001C1B0000-0x000000001C1FE000-memory.dmp

Filesize
312KB

Download
memory/2472-42-0x00007FFB137A3000-0x00007FFB137A5000-memory.dmp

Filesize
8KB

Download
memory/2472-44-0x0000000000050000-0x0000000000138000-memory.dmp

Filesize
928KB

Download
memory/2472-45-0x000000001ACA0000-0x000000001ACB2000-memory.dmp

Filesize
72KB

Download
memory/2472-48-0x000000001C350000-0x000000001C368000-memory.dmp

Filesize
96KB

Download
memory/2472-49-0x000000001C470000-0x000000001C480000-memory.dmp

Filesize
64KB

Download
memory/3340-21-0x00007FFB16220000-0x00007FFB16BC1000-memory.dmp

Filesize
9.6MB

Download
memory/3340-16-0x00007FFB16220000-0x00007FFB16BC1000-memory.dmp

Filesize
9.6MB

Download
memory/3648-23-0x000000001CA50000-0x000000001CA66000-memory.dmp

Filesize
88KB

Download
memory/3648-25-0x0000000001080000-0x0000000001092000-memory.dmp

Filesize
72KB

Download
memory/3648-26-0x0000000001060000-0x0000000001068000-memory.dmp

Filesize
32KB

Download
memory/3648-0-0x00007FFB164D5000-0x00007FFB164D6000-memory.dmp

Filesize
4KB

Download
memory/3648-8-0x000000001C390000-0x000000001C42C000-memory.dmp

Filesize
624KB

Download
memory/3648-43-0x00007FFB16220000-0x00007FFB16BC1000-memory.dmp

Filesize
9.6MB

Download
memory/3648-7-0x000000001BE20000-0x000000001C2EE000-memory.dmp

Filesize
4.8MB

Download
memory/3648-6-0x000000001B940000-0x000000001B94E000-memory.dmp

Filesize
56KB

Download
memory/3648-3-0x000000001B750000-0x000000001B7AC000-memory.dmp

Filesize
368KB

Download
memory/3648-2-0x00007FFB16220000-0x00007FFB16BC1000-memory.dmp

Filesize
9.6MB

Download
memory/3648-1-0x00007FFB16220000-0x00007FFB16BC1000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads