General
-
Target
610861ea9ba46365a1cfeba30c884278_JaffaCakes118
-
Size
1.3MB
-
Sample
240520-y8b4jagd8w
-
MD5
610861ea9ba46365a1cfeba30c884278
-
SHA1
9d99019a14b462e2cd7068c82427cbfe53ce236d
-
SHA256
64d9e378bcdd817ccf7f919e619643f204fd7e2dffa493b87f0590ff50d25319
-
SHA512
c99d757f08b86127d74d96ae5e12d2f5ae4adfa8919f54c4d6423b5a2bffac71e6ff49d4ed7c762d28cf40df881d429114a3461d210f31151db5fa1a0860c89a
-
SSDEEP
24576:YBfJXAWDccWs2RezbBfYEON7LaGpNCedxInXWlU7Ra9e5RjEbT7uLu:YBfJXAiKRezgfaGvRRU9bEbl
Malware Config
Extracted
orcus
myvpsvps.ddns.net:6969
2369ec43217c46488c3929ad398f76b6
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Windows\DNS.exe
-
reconnect_delay
10000
-
registry_keyname
DNSPacker
-
taskscheduler_taskname
DNSPacker
-
watchdog_path
AppData\DNS.exe
Targets
-
-
Target
610861ea9ba46365a1cfeba30c884278_JaffaCakes118
-
Size
1.3MB
-
MD5
610861ea9ba46365a1cfeba30c884278
-
SHA1
9d99019a14b462e2cd7068c82427cbfe53ce236d
-
SHA256
64d9e378bcdd817ccf7f919e619643f204fd7e2dffa493b87f0590ff50d25319
-
SHA512
c99d757f08b86127d74d96ae5e12d2f5ae4adfa8919f54c4d6423b5a2bffac71e6ff49d4ed7c762d28cf40df881d429114a3461d210f31151db5fa1a0860c89a
-
SSDEEP
24576:YBfJXAWDccWs2RezbBfYEON7LaGpNCedxInXWlU7Ra9e5RjEbT7uLu:YBfJXAiKRezgfaGvRRU9bEbl
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-