orcus | 3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3

General

Target

838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
Size

1.5MB
MD5

838db8ab2f771d8012c8a0d9a0a87b10
SHA1

1c1fa9619a53a6931647ff0df64fe15d9902ba83
SHA256

3fe007ad53213fb08ef69264b0a7cdb871eec48fc7b34de8934293bbb752aaa3
SHA512

fb52f77b774e0ef4ccea2fe2440e10d2bce218c6df28154d601d8a44fab404b030124655d8b76218ccdf75f2564a0e7589f20c6274580f9b3b01dbb943162d0e
SSDEEP

24576:RoK5MMv0TUoJVRIfLNV8LAv5vkVQ0BL3vrlsW+/O9RIOkT:RoAMM6JVRMV1vhOrrln7g

Score

10^/10

orcus zgrat desk-100618 rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

DESK-100618

C2

poulty55.chickenkiller.com:9030

Mutex

a386a045d9c842428c74de4ed9645fe9

Attributes

autostart_method
Disable
enable_keylogger
true
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10002
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Detect ZGRat V2 1 IoCs

resource	yara_rule
behavioral2/memory/4820-9-0x0000000006F70000-0x0000000006FB4000-memory.dmp	family_zgrat_v2

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Orcurs Rat Executable 3 IoCs

resource	yara_rule
behavioral2/memory/1964-19-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral2/memory/1964-18-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral2/memory/1964-17-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\469775e0-1bab-415a-a0b5-a668999f6467.url	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	InstallUtil.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	InstallUtil.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4820 set thread context of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	InstallUtil.exe
File created	C:\Windows\assembly\Desktop.ini	InstallUtil.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	InstallUtil.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
Token: SeDebugPrivilege	1964	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1964	InstallUtil.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 4820 wrote to memory of 1964	4820	838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe	100
PID 1964 wrote to memory of 2844	1964	InstallUtil.exe	101
PID 1964 wrote to memory of 2844	1964	InstallUtil.exe	101
PID 1964 wrote to memory of 2844	1964	InstallUtil.exe	101
PID 2844 wrote to memory of 640	2844	csc.exe	103
PID 2844 wrote to memory of 640	2844	csc.exe	103
PID 2844 wrote to memory of 640	2844	csc.exe	103

C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\838db8ab2f771d8012c8a0d9a0a87b10_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  C:\Windows\Microsoft.NET\Framework\v2.0.50727\InstallUtil.exe
  2⤵
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\8en9iedq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB33F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB33E.tmp"
      4⤵
      PID:640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\8en9iedq.dll

Filesize
76KB

MD5
85aa3473f9c889052bc875ece4fbbff5

SHA1
277e36e115ee817da5ebe8328c10a032f37114fa

SHA256
c0d683702daf707998f09d51554ff7efce5a05451bda0f68f2745a54684a1a9f

SHA512
26eb0ec62e654a141de37e71e5a334c8ea75a424e57eed59b342d3946b181c064d2affd59d4df940cae1eb64bf320504217b6655b7b67d727512bd52908a1729

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB33F.tmp

Filesize
1KB

MD5
4e0a0e3e43771b5cc6b24973c9c11bfc

SHA1
c6f0e794cc76ff6abd29379527cdfa973c98ff31

SHA256
f699082782e74c2a1d69449c2a48d2564bb4040e686836b34aa87766e7c8a29c

SHA512
d31a7fe131d992343aa07d1daf4213b45062fa4b786cfc89c9a71df80df1312a3a023bc742d99554ee2976d47c499136beeccfbe925384fe9415a4c206ab1e35

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8en9iedq.0.cs

Filesize
208KB

MD5
9ef73bf0432f8fd4768715b606c51100

SHA1
00526e791cf843c944e9d4afe148acc3b9e9b561

SHA256
5b1ac14b2b2284376a78716a2768ab521a03429cda91b2ddfe0c9ac801c2eacd

SHA512
89cd9096f9ecf49df9e8a483fc4090ed0523799d04801bf6016c2790a90b53a9aa151c50c660c08fbc7e2f4b2b52052f0c35ed2ba388ec7669ec85b1176c37a9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\8en9iedq.cmdline

Filesize
347B

MD5
13a07e16bb6f13640785630c59be5c5d

SHA1
d324890620980654b7811c1442be96efc32876fa

SHA256
ca70590f16411ecc1e66b462b69bb72423285694a5bce373e3f1e12ad1bc52d7

SHA512
091482092a91665e38d5591c056bc2096ca2efa57d059ff79fae5ceef23c6eb6c901912b5cc450170dac28a06fcc4c066dd6efcbd3c6d780f4cb813570cabf94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB33E.tmp

Filesize
676B

MD5
a88eccdf6104f8c12c045283f687a035

SHA1
cae11cdbc2fa9a3f7df4f39389f06773742ababc

SHA256
a7aad3d4f5722090bedfc111572e8ea9de49271faa46cbf4a41667897c917d2c

SHA512
874790c05664a8def502f99e81ec465f6b7a06d4a6c18bf1c1a5f6b268689c60b79c221e7b284511efa3a6ad21a922ce3472d70c20d6f58a56b167a43905385b

Download Submit
memory/1964-18-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1964-22-0x0000000070432000-0x0000000070433000-memory.dmp

Filesize
4KB

Download
memory/1964-46-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-44-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-43-0x0000000070432000-0x0000000070433000-memory.dmp

Filesize
4KB

Download
memory/1964-42-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-26-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-16-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1964-19-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1964-23-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/1964-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2844-39-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/2844-32-0x0000000070430000-0x00000000709E1000-memory.dmp

Filesize
5.7MB

Download
memory/4820-12-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-2-0x0000000005B20000-0x0000000005BBC000-memory.dmp

Filesize
624KB

Download
memory/4820-13-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-5-0x0000000005BC0000-0x0000000005C52000-memory.dmp

Filesize
584KB

Download
memory/4820-4-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-6-0x0000000005AA0000-0x0000000005AAA000-memory.dmp

Filesize
40KB

Download
memory/4820-3-0x0000000006230000-0x00000000067D4000-memory.dmp

Filesize
5.6MB

Download
memory/4820-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4820-11-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/4820-1-0x0000000000F40000-0x00000000010CE000-memory.dmp

Filesize
1.6MB

Download
memory/4820-10-0x0000000008840000-0x0000000008841000-memory.dmp

Filesize
4KB

Download
memory/4820-9-0x0000000006F70000-0x0000000006FB4000-memory.dmp

Filesize
272KB

Download
memory/4820-8-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-45-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/4820-7-0x0000000005D70000-0x0000000005DC6000-memory.dmp

Filesize
344KB

Download

Analysis

Sharing