orcus | bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71

General

Target

aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
Size

911KB
MD5

aaa90b0b00a95599af7a08ab8831b107
SHA1

9686d3bcb057d151971d9e4dab389e06612773af
SHA256

bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71
SHA512

9b260a04866c0748532bfecccaca1706cec12d0192585c9bdbb3f8f1dd137feb84e13b70d262754896230f9818e6c5385e8261e3f473901797c585e6e7fc6cd3
SSDEEP

12288:vvQljshUuGBupksQ7dG1lFlWcYT70pxnnaaoawAjKgRRAbrZNrI0AilFEvxHvBM9:Wsw4MROxnFegHErZlI0AilFEvxHiW8

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

fbkw.tk:1564

Mutex

d38dc645e93944daace20f292091da80

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%appdata%\Discord\DiscordService.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
DiscordService
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x00330000000144e4-27.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x00330000000144e4-27.dat	orcus
behavioral1/memory/2752-31-0x0000000000970000-0x0000000000A58000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2752	DiscordService.exe
2484	DiscordService.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2160	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2160	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	28
PID 3048 wrote to memory of 2160	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	28
PID 2160 wrote to memory of 2764	2160	csc.exe	30
PID 2160 wrote to memory of 2764	2160	csc.exe	30
PID 2160 wrote to memory of 2764	2160	csc.exe	30
PID 3048 wrote to memory of 2752	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2752	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2752	3048	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	31
PID 2456 wrote to memory of 2484	2456	taskeng.exe	33
PID 2456 wrote to memory of 2484	2456	taskeng.exe	33
PID 2456 wrote to memory of 2484	2456	taskeng.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ahra7ywy.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21D4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC21D3.tmp"
    3⤵
    PID:2764
- C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
  "C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe"
  2⤵
  - Executes dropped EXE
  PID:2752

C:\Windows\system32\taskeng.exe
taskeng.exe {F2686F1A-6097-4126-BB54-DA382877809E} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
  C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
  2⤵
  - Executes dropped EXE
  PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES21D4.tmp

Filesize
1KB

MD5
d2a526329b49104834160299a95de6e8

SHA1
919e1acfa6b6d15d24dc9147f196fee4c28bf242

SHA256
cbf9a8acd84e46ef6b617536913a7c32481529a69017d5e0777e6d132d1be533

SHA512
da043e40a16ef5dad69ada116c38c950b894c2595b1d1c8fdbc4faba76b7735040f3a0104abb34b70ed34b1858ed448a7d692e2b6da680a066475b28ea3c28f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ahra7ywy.dll

Filesize
76KB

MD5
792645c2067c4aeb614804be924ff61d

SHA1
3a6b8ecc867262f50d7b5bedda3ae03e1c74086f

SHA256
134373dc75f9365569c0cb9757fde177c82f27accec0948e466da0db04a2ff35

SHA512
ec55da5f1814dff68c60edf78d7aebbd147a3452d3a656310eec3ac8403be6724fd122a9fbd591f2e49cc9573cb259fbe44027ccf5a156a3d78beaae1c4f7a80

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe

Filesize
911KB

MD5
aaa90b0b00a95599af7a08ab8831b107

SHA1
9686d3bcb057d151971d9e4dab389e06612773af

SHA256
bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71

SHA512
9b260a04866c0748532bfecccaca1706cec12d0192585c9bdbb3f8f1dd137feb84e13b70d262754896230f9818e6c5385e8261e3f473901797c585e6e7fc6cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC21D3.tmp

Filesize
676B

MD5
a256d9c67baab1b32a5a97a5bac6dbd1

SHA1
ea4d13bf38b58d13d8b6b810578081f4b6de6ae5

SHA256
df7006a694cef41732818daaec20ee38fb1c4ecaeabf33dff521527f180b74aa

SHA512
e71f0f57a47fbacc383afcba21f52d49813eb385bd728e4733637c03a81e5a2a6d14778cdcf14333eff7f40daacb977004228d3519825176000be1a7732de9bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahra7ywy.0.cs

Filesize
208KB

MD5
250321226bbc2a616d91e1c82cb4ab2b

SHA1
7cffd0b2e9c842865d8961386ab8fcfac8d04173

SHA256
ef2707f83a0c0927cfd46b115641b9cae52a41123e4826515b9eeb561785218d

SHA512
bda59ca04cdf254f837f2cec6da55eff5c3d2af00da66537b9ebaa3601c502ae63772f082fd12663b63d537d2e03efe87a3b5746ef25e842aaf1c7d88245b4e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ahra7ywy.cmdline

Filesize
349B

MD5
1ba1da68a20c17b56c17d6ac241661be

SHA1
472bae18093199d8235b46804c07e3ff86353890

SHA256
dbc78fa8a706183f3cbd3715476a8747bef1888f5bfd30f0f0cff10cc86b3672

SHA512
4b38f114b136c0ec8614c790a927d9037b33878458a080ec74d1454f909ca075ba38afa5ed7753f92354bddba41caaf2d5f048fe52cf8b0644ebf30f03d4d621

Download Submit
memory/2160-17-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2160-12-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/2752-31-0x0000000000970000-0x0000000000A58000-memory.dmp

Filesize
928KB

Download
memory/2752-35-0x0000000002270000-0x0000000002280000-memory.dmp

Filesize
64KB

Download
memory/2752-34-0x0000000002250000-0x0000000002268000-memory.dmp

Filesize
96KB

Download
memory/2752-33-0x0000000000920000-0x000000000096E000-memory.dmp

Filesize
312KB

Download
memory/2752-32-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/3048-21-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/3048-2-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/3048-29-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-1-0x0000000002190000-0x00000000021EC000-memory.dmp

Filesize
368KB

Download
memory/3048-3-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-19-0x000000001AEB0000-0x000000001AEC6000-memory.dmp

Filesize
88KB

Download
memory/3048-4-0x000007FEF5FF0000-0x000007FEF698D000-memory.dmp

Filesize
9.6MB

Download
memory/3048-0-0x000007FEF62AE000-0x000007FEF62AF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing