Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
30-05-2024 08:19
Static task
static1
Behavioral task
behavioral1
Sample
838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
838db8ab2f771d8012c8a0d9a0a87b10
-
SHA1
1c1fa9619a53a6931647ff0df64fe15d9902ba83
-
SHA256
3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3
-
SHA512
fb52f77b774e0ef4ccea2fe2440e10d2bce218c6df28154d601d8a44fab404b030124655d8b76218ccdf75f2564a0e7589f20c6274580f9b3b01dbb943162d0e
-
SSDEEP
24576:RoK5MMv0TUoJVRIfLNV8LAv5vkVQ0BL3vrlsW+/O9RIOkT:RoAMM6JVRMV1vhOrrln7g
Malware Config
Extracted
orcus
DESK-100618
poulty55.chickenkiller.com:9030
a386a045d9c842428c74de4ed9645fe9
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10002
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Detect ZGRat V2 1 IoCs
resource yara_rule behavioral1/memory/2804-5-0x0000000004950000-0x0000000004994000-memory.dmp family_zgrat_v2 -
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral1/memory/528-15-0x0000000000400000-0x00000000004E8000-memory.dmp orcus behavioral1/memory/528-19-0x0000000000400000-0x00000000004E8000-memory.dmp orcus behavioral1/memory/528-21-0x0000000000400000-0x00000000004E8000-memory.dmp orcus behavioral1/memory/528-17-0x0000000000400000-0x00000000004E8000-memory.dmp orcus behavioral1/memory/528-14-0x0000000000400000-0x00000000004E8000-memory.dmp orcus -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\469775e0-1bab-415a-a0b5-a668999f6467.url 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2804 set thread context of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe Token: SeDebugPrivilege 528 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 528 InstallUtil.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 2804 wrote to memory of 528 2804 838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe 30 PID 528 wrote to memory of 1424 528 InstallUtil.exe 31 PID 528 wrote to memory of 1424 528 InstallUtil.exe 31 PID 528 wrote to memory of 1424 528 InstallUtil.exe 31 PID 528 wrote to memory of 1424 528 InstallUtil.exe 31 PID 1424 wrote to memory of 2144 1424 csc.exe 33 PID 1424 wrote to memory of 2144 1424 csc.exe 33 PID 1424 wrote to memory of 2144 1424 csc.exe 33 PID 1424 wrote to memory of 2144 1424 csc.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:528 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_gjefa3f.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:1424 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD20F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD20E.tmp"4⤵PID:2144
-
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5cea765c505ec61fa52fe84c83a15ddde
SHA1c074c5b40bdb32d18a9db31b1dd1440933860340
SHA25687aa07d4ecf03581079c56b7c5e52b1695a0e1daf54dfc35d5776ffe6fa80b2a
SHA512813957c23a3458d88a9cf67b54c99f846eb3d0414858ff645aaea05d36ea1cbf8a05ce978b0e77e84deb3a10c596c9c2ceb0d62f4d43fb7302fa2407ba3daaad
-
Filesize
76KB
MD50792133805552c69e5d30cecb1a6eaf2
SHA1326a027c7c3f1476468a9b2a7d66bf516d3b4bec
SHA256585820651f277c7f5bcd34a848b4ec65a8f4eeb06e42c7031867500272de114d
SHA512cdda5172962fb2b70a2027c217ad1d0e8a09e40441bcd409594a03ac092a44df09208148f8c38c2223bee20d07ed94e254f9005138033a1ee597ed529325421d
-
Filesize
676B
MD53fb01ca2c53ac08012668fa0657e44a8
SHA1cf094f405dc1a02ffcf9919e3eba340ab27dc969
SHA2563b1fb7f649ea2d37da0bece4473b95530b4253359bd7cecfa7a00d94febb7c75
SHA5123c6afcccb53eb4a25facd6c387a4d0df6a39f8d363598fa9cc9b594a59fdb9690bf30d6c7929d0eff2bbf3c900bff01c2fddb354d033635e3430463f3fd4d1f7
-
Filesize
208KB
MD518bf1a096c7bb9091e6c6431a6cb2fb9
SHA1b520642f93928646ae77d1398af278f3e2f000bb
SHA256b19dc741f88ef3739fed01bd0f2c91249564583f560acaf0f7618d6dfc943edf
SHA512b9fc5bdeac94e7f63f2a8ade2dc5d1a0e5b7fa68a3781f27338d3504d6cf8b22a3f10ac906c3af81c0f96594688929e26508df973db4ba5e3b080692b7458dec
-
Filesize
347B
MD5ae3162aaff357eca7311dc1fed8c27fe
SHA198f2ce0ff266ede110a49471321e84e69f0d4984
SHA25688c46440e1b069c976d187d03ba447a03d5ded6f79695523188828196a138210
SHA5121e054054d37336e64350ce10391e804510c3ab9e7688a9637c0dfbae7abb3308f160dcfdb5f226111d4bc3d6c38774c87610586065d64bdde62d4ca283c0c349