General
-
Target
67966a3b68b25438e90cd3d109dd5831_JaffaCakes118
-
Size
1.5MB
-
Sample
240522-rwmk6sed97
-
MD5
67966a3b68b25438e90cd3d109dd5831
-
SHA1
e721a74be529652701fe07ced4962f225f055366
-
SHA256
28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a
-
SHA512
22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6
-
SSDEEP
24576:wxrDzROqOMsaEB7aSsv5QJiGFdEkk+SRgTfcOwtTe5CgQ:wx/zROnoEVaSwpkTSRkUR64gQ
Malware Config
Extracted
orcus
linkadrum.nl:3444
6c659710defd46d394487b3c49fa651e
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programdata%\IIS\web.deployment.exe
-
reconnect_delay
10000
-
registry_keyname
web.deployment
-
taskscheduler_taskname
web.deployment
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
67966a3b68b25438e90cd3d109dd5831_JaffaCakes118
-
Size
1.5MB
-
MD5
67966a3b68b25438e90cd3d109dd5831
-
SHA1
e721a74be529652701fe07ced4962f225f055366
-
SHA256
28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a
-
SHA512
22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6
-
SSDEEP
24576:wxrDzROqOMsaEB7aSsv5QJiGFdEkk+SRgTfcOwtTe5CgQ:wx/zROnoEVaSwpkTSRkUR64gQ
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Drops startup file
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-