General
-
Target
6982a6a0f6630f4b31b7628a1536df70_JaffaCakes118
-
Size
1.2MB
-
Sample
240523-dd9q4abd2z
-
MD5
6982a6a0f6630f4b31b7628a1536df70
-
SHA1
a287fa0c3b2723ca9c1be48d8d84654e49992b70
-
SHA256
d90a3a1cb68bd1dd434e0a48d8e03bc3fc3d0a239339efde8ec2f7f7fa56c0a2
-
SHA512
1bcfd793e85e8d8e592890e6b4403be29e2ed0bfc6e19a132520e951020644953cecdd036a1cd824930e52c8c33c7891e855b839e4955006d43a6dd3546d3555
-
SSDEEP
24576:ukfVYrF1v6rWVHIIXII94ZvTrQg8jzVSSwjFTp0Twt24TyE:uryruOSkSSFTKKXyE
Malware Config
Extracted
orcus
188.227.85.44:6969
efff1791714c4747aed207dd6b736e25
-
autostart_method
TaskScheduler
-
enable_keylogger
false
-
install_path
%localappdata%\IsolatedStorage\covhh4rz.3f1\ry2mde3m.m5t\DNSServicePack.exe
-
reconnect_delay
10000
-
registry_keyname
DNSServicePack
-
taskscheduler_taskname
DNSServicePack
-
watchdog_path
AppData\DNSServicePacker.exe
Targets
-
-
Target
6982a6a0f6630f4b31b7628a1536df70_JaffaCakes118
-
Size
1.2MB
-
MD5
6982a6a0f6630f4b31b7628a1536df70
-
SHA1
a287fa0c3b2723ca9c1be48d8d84654e49992b70
-
SHA256
d90a3a1cb68bd1dd434e0a48d8e03bc3fc3d0a239339efde8ec2f7f7fa56c0a2
-
SHA512
1bcfd793e85e8d8e592890e6b4403be29e2ed0bfc6e19a132520e951020644953cecdd036a1cd824930e52c8c33c7891e855b839e4955006d43a6dd3546d3555
-
SSDEEP
24576:ukfVYrF1v6rWVHIIXII94ZvTrQg8jzVSSwjFTp0Twt24TyE:uryruOSkSSFTKKXyE
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-