orcus | c91a6632c59372e0af003bd914f91ca513a20861ac18a4a58e719e8307846935

General

Target

4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
Size

921KB
MD5

4d72427546c5c7cd35e256401e80a030
SHA1

d71c9ef0a220b89d1724584054ba0ed303b149a3
SHA256

c91a6632c59372e0af003bd914f91ca513a20861ac18a4a58e719e8307846935
SHA512

61f3d0f4772d20685dc41ab809c2f8f84fec4a0e64dbb0589a3663495472045841f99005d863b90622c92352225d6ecd98a055594404979b87a8cdad19af3c78
SSDEEP

24576:wRo4MROxnFl64vrZlI0AilFEvxHiAHGWM:wRLMiDrZlI0AilFEvxHi

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

bambuvn.webhop.info:1352

Mutex

ae9225f4fc36499e85213e441bb22bf6

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Internet Explorer\svchost.exe
reconnect_delay
10000
registry_keyname
Updater Chrome
taskscheduler_taskname
Updater Chrome
watchdog_path
AppData\Taskmanagers.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000006c5-55.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x000c0000000006c5-55.dat	orcus
behavioral2/memory/5092-66-0x0000000000BD0000-0x0000000000CBC000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

pid	Process
988	WindowsInput.exe
5060	WindowsInput.exe
5092	svchost.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\svchost.exe	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\svchost.exe	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\svchost.exe.config	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5092	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5092	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 5020	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	86
PID 2080 wrote to memory of 5020	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	86
PID 5020 wrote to memory of 5404	5020	csc.exe	88
PID 5020 wrote to memory of 5404	5020	csc.exe	88
PID 2080 wrote to memory of 988	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	89
PID 2080 wrote to memory of 988	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	89
PID 2080 wrote to memory of 5092	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	91
PID 2080 wrote to memory of 5092	2080	4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4d72427546c5c7cd35e256401e80a030_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\znrjhain.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5020
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CFA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CF9.tmp"
    3⤵
    PID:5404
- C:\Windows\SysWOW64\WindowsInput.exe
  "C:\Windows\SysWOW64\WindowsInput.exe" --install
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:988
- C:\Program Files\Internet Explorer\svchost.exe
  "C:\Program Files\Internet Explorer\svchost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5092

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:5060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\svchost.exe

Filesize
921KB

MD5
4d72427546c5c7cd35e256401e80a030

SHA1
d71c9ef0a220b89d1724584054ba0ed303b149a3

SHA256
c91a6632c59372e0af003bd914f91ca513a20861ac18a4a58e719e8307846935

SHA512
61f3d0f4772d20685dc41ab809c2f8f84fec4a0e64dbb0589a3663495472045841f99005d863b90622c92352225d6ecd98a055594404979b87a8cdad19af3c78

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES3CFA.tmp

Filesize
1KB

MD5
a4af9855cbb95b342fcb80d39a009d40

SHA1
68ebcb2cd5ab9ef361ef7ac111a1c7d96cdef71c

SHA256
f322bae00cfeac13bc59cfff5e08d3dfbd1fa137b6da2f2201b234c5568abcf3

SHA512
3fc73f46cb7791a96552e2503d4e8b02d5b5138989d5f1e4ec4f639ef6764bfffec7f39e39c29e7e322f14e025dddda85d33862aa5210d8acf5e768c15a4ef30

Download Submit
C:\Users\Admin\AppData\Local\Temp\znrjhain.dll

Filesize
76KB

MD5
69751d92c900f476ab8adc65c701d89d

SHA1
65c238232a0ae13d387edd30eaad1a50bd7fa7b5

SHA256
01f072bb0e3ad64f1ebac9dd6df2eef4b7a0b93b6dfc704a9734187f4229ebdb

SHA512
b4d236145d108c9deb929944e7fe53444daf281640cb651149d41c654faac72479fb8dbd58f55528ef54051c8dff4ec9fb954581ff8edb7f9ec64fc17d7371ff

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC3CF9.tmp

Filesize
676B

MD5
3b8426612f45ec0f01974934bcb92055

SHA1
015636ab1f9f002d7d9719d435485e092fa84988

SHA256
fb5ae34f2a408cf5f6ca9edba61ca86d69a75b90fbb81cada635f6faabbc115e

SHA512
55da0424b6a54edcc19693e95010aa5fe0240fb51d7a3795c87894060694cd22b70ce8d932bb56914e1a7cdc7cb71b79fb341805bca2ae94918c7f8fd55429b2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znrjhain.0.cs

Filesize
208KB

MD5
0196c9383f575c5f31b3c7b5e9d54a06

SHA1
29741a542408d67da8795001eae2b149d29383ca

SHA256
a30373a70435240006b6ec070838048a2cee474c009a6cd08e5be0b8f1a663a0

SHA512
781bf65e91bb6f09709f1c07b9cadc3ac0a7c52a3b86511794c2f4fb45afbd958c71917943e757d38b1350fd54893b377f404062dcc91ebe11f00a6ebbfeafe7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\znrjhain.cmdline

Filesize
349B

MD5
9c637ed22446349eb5b9ea5ca6d84813

SHA1
47b80e924aec9054203dd4859a9352e66d7c30b8

SHA256
492d89b9db07c299029411fa731d0e42114fcce03648791df0164a74e39e6a56

SHA512
e756b7c73b92d8ff306930eef54ced6002e698dec9131175b18e95ebe91d440b88d24bc24a88cabb4beba7b05b82a7cbc0d8d9f245aa93fb808a6135a511749b

Download Submit
memory/988-44-0x0000000002F30000-0x0000000002F6C000-memory.dmp

Filesize
240KB

Download
memory/988-43-0x0000000001720000-0x0000000001732000-memory.dmp

Filesize
72KB

Download
memory/988-42-0x0000000000E40000-0x0000000000E4C000-memory.dmp

Filesize
48KB

Download
memory/988-41-0x00007FFAA2F63000-0x00007FFAA2F65000-memory.dmp

Filesize
8KB

Download
memory/2080-26-0x000000001B240000-0x000000001B248000-memory.dmp

Filesize
32KB

Download
memory/2080-1-0x00007FFAA5B00000-0x00007FFAA64A1000-memory.dmp

Filesize
9.6MB

Download
memory/2080-23-0x000000001C670000-0x000000001C686000-memory.dmp

Filesize
88KB

Download
memory/2080-25-0x000000001B2D0000-0x000000001B2E2000-memory.dmp

Filesize
72KB

Download
memory/2080-0-0x00007FFAA5DB5000-0x00007FFAA5DB6000-memory.dmp

Filesize
4KB

Download
memory/2080-27-0x000000001C6B0000-0x000000001C6D0000-memory.dmp

Filesize
128KB

Download
memory/2080-67-0x00007FFAA5B00000-0x00007FFAA64A1000-memory.dmp

Filesize
9.6MB

Download
memory/2080-8-0x000000001BFB0000-0x000000001C04C000-memory.dmp

Filesize
624KB

Download
memory/2080-7-0x000000001BA40000-0x000000001BF0E000-memory.dmp

Filesize
4.8MB

Download
memory/2080-6-0x000000001B560000-0x000000001B56E000-memory.dmp

Filesize
56KB

Download
memory/2080-3-0x00007FFAA5B00000-0x00007FFAA64A1000-memory.dmp

Filesize
9.6MB

Download
memory/2080-2-0x000000001B370000-0x000000001B3CC000-memory.dmp

Filesize
368KB

Download
memory/5020-16-0x00007FFAA5B00000-0x00007FFAA64A1000-memory.dmp

Filesize
9.6MB

Download
memory/5020-21-0x00007FFAA5B00000-0x00007FFAA64A1000-memory.dmp

Filesize
9.6MB

Download
memory/5060-49-0x0000000019F40000-0x000000001A04A000-memory.dmp

Filesize
1.0MB

Download
memory/5092-66-0x0000000000BD0000-0x0000000000CBC000-memory.dmp

Filesize
944KB

Download
memory/5092-68-0x000000001B9E0000-0x000000001B9F2000-memory.dmp

Filesize
72KB

Download
memory/5092-69-0x000000001DB80000-0x000000001DBCE000-memory.dmp

Filesize
312KB

Download
memory/5092-70-0x000000001DD50000-0x000000001DD68000-memory.dmp

Filesize
96KB

Download
memory/5092-72-0x000000001DE70000-0x000000001DE80000-memory.dmp

Filesize
64KB

Download
memory/5092-71-0x000000001E060000-0x000000001E222000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing