orcus | 3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3

General

Target

838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
Size

1.5MB
MD5

838db8ab2f771d8012c8a0d9a0a87b10
SHA1

1c1fa9619a53a6931647ff0df64fe15d9902ba83
SHA256

3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3
SHA512

fb52f77b774e0ef4ccea2fe2440e10d2bce218c6df28154d601d8a44fab404b030124655d8b76218ccdf75f2564a0e7589f20c6274580f9b3b01dbb943162d0e
SSDEEP

24576:RoK5MMv0TUoJVRIfLNV8LAv5vkVQ0BL3vrlsW+/O9RIOkT:RoAMM6JVRMV1vhOrrln7g

Score

10^/10

orcus zgrat desk-100618 rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

C2

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral1/memory/2804-5-0x0000000004950000-0x0000000004994000-memory.dmp	family_zgrat_v2

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/528-15-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/528-19-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/528-21-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/528-17-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/528-14-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\469775e0-1bab-415a-a0b5-a668999f6467.url	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2804 set thread context of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
Token: SeDebugPrivilege	528	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
528	InstallUtil.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 2804 wrote to memory of 528	2804	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	30
PID 528 wrote to memory of 1424	528	InstallUtil.exe	31
PID 528 wrote to memory of 1424	528	InstallUtil.exe	31
PID 528 wrote to memory of 1424	528	InstallUtil.exe	31
PID 528 wrote to memory of 1424	528	InstallUtil.exe	31
PID 1424 wrote to memory of 2144	1424	csc.exe	33
PID 1424 wrote to memory of 2144	1424	csc.exe	33
PID 1424 wrote to memory of 2144	1424	csc.exe	33
PID 1424 wrote to memory of 2144	1424	csc.exe	33

C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_gjefa3f.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD20F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD20E.tmp"
      4⤵
      PID:2144

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESD20F.tmp

Filesize
1KB

MD5
cea765c505ec61fa52fe84c83a15ddde

SHA1
c074c5b40bdb32d18a9db31b1dd1440933860340

SHA256
87aa07d4ecf03581079c56b7c5e52b1695a0e1daf54dfc35d5776ffe6fa80b2a

SHA512
813957c23a3458d88a9cf67b54c99f846eb3d0414858ff645aaea05d36ea1cbf8a05ce978b0e77e84deb3a10c596c9c2ceb0d62f4d43fb7302fa2407ba3daaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_gjefa3f.dll

Filesize
76KB

MD5
0792133805552c69e5d30cecb1a6eaf2

SHA1
326a027c7c3f1476468a9b2a7d66bf516d3b4bec

SHA256
585820651f277c7f5bcd34a848b4ec65a8f4eeb06e42c7031867500272de114d

SHA512
cdda5172962fb2b70a2027c217ad1d0e8a09e40441bcd409594a03ac092a44df09208148f8c38c2223bee20d07ed94e254f9005138033a1ee597ed529325421d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD20E.tmp

Filesize
676B

MD5
3fb01ca2c53ac08012668fa0657e44a8

SHA1
cf094f405dc1a02ffcf9919e3eba340ab27dc969

SHA256
3b1fb7f649ea2d37da0bece4473b95530b4253359bd7cecfa7a00d94febb7c75

SHA512
3c6afcccb53eb4a25facd6c387a4d0df6a39f8d363598fa9cc9b594a59fdb9690bf30d6c7929d0eff2bbf3c900bff01c2fddb354d033635e3430463f3fd4d1f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_gjefa3f.0.cs

Filesize
208KB

MD5
18bf1a096c7bb9091e6c6431a6cb2fb9

SHA1
b520642f93928646ae77d1398af278f3e2f000bb

SHA256
b19dc741f88ef3739fed01bd0f2c91249564583f560acaf0f7618d6dfc943edf

SHA512
b9fc5bdeac94e7f63f2a8ade2dc5d1a0e5b7fa68a3781f27338d3504d6cf8b22a3f10ac906c3af81c0f96594688929e26508df973db4ba5e3b080692b7458dec

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\_gjefa3f.cmdline

Filesize
347B

MD5
ae3162aaff357eca7311dc1fed8c27fe

SHA1
98f2ce0ff266ede110a49471321e84e69f0d4984

SHA256
88c46440e1b069c976d187d03ba447a03d5ded6f79695523188828196a138210

SHA512
1e054054d37336e64350ce10391e804510c3ab9e7688a9637c0dfbae7abb3308f160dcfdb5f226111d4bc3d6c38774c87610586065d64bdde62d4ca283c0c349

Download Submit
memory/528-30-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/528-28-0x000000006F2E1000-0x000000006F2E2000-memory.dmp

Filesize
4KB

Download
memory/528-46-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/528-44-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/528-29-0x000000006F2E0000-0x000000006F88B000-memory.dmp

Filesize
5.7MB

Download
memory/528-13-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/528-15-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/528-19-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/528-21-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/528-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/528-14-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2804-7-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2804-10-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-0-0x000000007428E000-0x000000007428F000-memory.dmp

Filesize
4KB

Download
memory/2804-5-0x0000000004950000-0x0000000004994000-memory.dmp

Filesize
272KB

Download
memory/2804-4-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-3-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-2-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-1-0x00000000010F0000-0x000000000127E000-memory.dmp

Filesize
1.6MB

Download
memory/2804-9-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-45-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-8-0x0000000074280000-0x000000007496E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing