General

  • Target

    3dcb6077a108a53c7df5ab6af5b4f6aafc533ba0d44118b983621f89b7ec2263

  • Size

    918KB

  • Sample

    240609-bjkcaabc5v

  • MD5

    ee9a70d7cdb17d650bf981828446a502

  • SHA1

    8d665f710b8edc652195d6c06e6f3c179c2bdfd1

  • SHA256

    3dcb6077a108a53c7df5ab6af5b4f6aafc533ba0d44118b983621f89b7ec2263

  • SHA512

    335b901e0afe9e2ec41d03a6d83324f6032c84f825a3968d04a675670e3a924010ca3b0755ab58e04ed5db9ca7ab4e71cfa3b96a69e98113c8ff9636565cfb5a

  • SSDEEP

    24576:Etb4MROxnFZ3LRM43rrcI0AilFEvxHPgAtoo0:EiMi7Ll3rrcI0AilFEvxHP

Malware Config

Extracted

Family

orcus

C2

146.235.217.116:5555

Mutex

ce877b798e0545b79ebc4029db4ab310

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    false

  • install_path

    %programfiles%\javaw\java.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    updaters

  • watchdog_path

    AppData\updater.exe

Targets

    • Target

      3dcb6077a108a53c7df5ab6af5b4f6aafc533ba0d44118b983621f89b7ec2263

    • Size

      918KB

    • MD5

      ee9a70d7cdb17d650bf981828446a502

    • SHA1

      8d665f710b8edc652195d6c06e6f3c179c2bdfd1

    • SHA256

      3dcb6077a108a53c7df5ab6af5b4f6aafc533ba0d44118b983621f89b7ec2263

    • SHA512

      335b901e0afe9e2ec41d03a6d83324f6032c84f825a3968d04a675670e3a924010ca3b0755ab58e04ed5db9ca7ab4e71cfa3b96a69e98113c8ff9636565cfb5a

    • SSDEEP

      24576:Etb4MROxnFZ3LRM43rrcI0AilFEvxHPgAtoo0:EiMi7Ll3rrcI0AilFEvxHP

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks