General

  • Target

    a65588611bea2e11e8b7a783586d45ed_JaffaCakes118

  • Size

    1.3MB

  • Sample

    240613-s73bfaygqq

  • MD5

    a65588611bea2e11e8b7a783586d45ed

  • SHA1

    70df9e0bb904ec5cacd4ccc54950d3029ab322c9

  • SHA256

    2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

  • SHA512

    123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8

  • SSDEEP

    24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC

Malware Config

Extracted

Family

orcus

Botnet

hi

C2

owo-whats-this.duckdns.org:6969

Mutex

589c23b486c142cc84a5650aff03530f

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    false

  • install_path

    %programfiles%\owo\OwO.exe

  • reconnect_delay

    10000

  • registry_keyname

    WWWWWWWWWWW

  • taskscheduler_taskname

    WWWWWW

  • watchdog_path

    Temp\hostwd.exe

Targets

    • Target

      a65588611bea2e11e8b7a783586d45ed_JaffaCakes118

    • Size

      1.3MB

    • MD5

      a65588611bea2e11e8b7a783586d45ed

    • SHA1

      70df9e0bb904ec5cacd4ccc54950d3029ab322c9

    • SHA256

      2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

    • SHA512

      123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8

    • SSDEEP

      24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks