General
-
Target
4d72427546c5c7cd35e256401e80a030_JaffaCakes118
-
Size
921KB
-
Sample
240516-2z6hkadb48
-
MD5
4d72427546c5c7cd35e256401e80a030
-
SHA1
d71c9ef0a220b89d1724584054ba0ed303b149a3
-
SHA256
c91a6632c59372e0af003bd914f91ca513a20861ac18a4a58e719e8307846935
-
SHA512
61f3d0f4772d20685dc41ab809c2f8f84fec4a0e64dbb0589a3663495472045841f99005d863b90622c92352225d6ecd98a055594404979b87a8cdad19af3c78
-
SSDEEP
24576:wRo4MROxnFl64vrZlI0AilFEvxHiAHGWM:wRLMiDrZlI0AilFEvxHi
Malware Config
Extracted
orcus
bambuvn.webhop.info:1352
ae9225f4fc36499e85213e441bb22bf6
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Internet Explorer\svchost.exe
-
reconnect_delay
10000
-
registry_keyname
Updater Chrome
-
taskscheduler_taskname
Updater Chrome
-
watchdog_path
AppData\Taskmanagers.exe
Targets
-
-
Target
4d72427546c5c7cd35e256401e80a030_JaffaCakes118
-
Size
921KB
-
MD5
4d72427546c5c7cd35e256401e80a030
-
SHA1
d71c9ef0a220b89d1724584054ba0ed303b149a3
-
SHA256
c91a6632c59372e0af003bd914f91ca513a20861ac18a4a58e719e8307846935
-
SHA512
61f3d0f4772d20685dc41ab809c2f8f84fec4a0e64dbb0589a3663495472045841f99005d863b90622c92352225d6ecd98a055594404979b87a8cdad19af3c78
-
SSDEEP
24576:wRo4MROxnFl64vrZlI0AilFEvxHiAHGWM:wRLMiDrZlI0AilFEvxHi
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-