orcus | bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71

General

Target

aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
Size

911KB
MD5

aaa90b0b00a95599af7a08ab8831b107
SHA1

9686d3bcb057d151971d9e4dab389e06612773af
SHA256

bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71
SHA512

9b260a04866c0748532bfecccaca1706cec12d0192585c9bdbb3f8f1dd137feb84e13b70d262754896230f9818e6c5385e8261e3f473901797c585e6e7fc6cd3
SSDEEP

12288:vvQljshUuGBupksQ7dG1lFlWcYT70pxnnaaoawAjKgRRAbrZNrI0AilFEvxHvBM9:Wsw4MROxnFegHErZlI0AilFEvxHiW8

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

fbkw.tk:1564

Mutex

d38dc645e93944daace20f292091da80

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%appdata%\Discord\DiscordService.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
DiscordService
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023415-31.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral2/files/0x0009000000023415-31.dat	orcus
behavioral2/memory/1828-43-0x00000000002B0000-0x0000000000398000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	DiscordService.exe
4916	DiscordService.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 2556	4608	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	84
PID 4608 wrote to memory of 2556	4608	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	84
PID 2556 wrote to memory of 4092	2556	csc.exe	86
PID 2556 wrote to memory of 4092	2556	csc.exe	86
PID 4608 wrote to memory of 1828	4608	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	87
PID 4608 wrote to memory of 1828	4608	aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aaa90b0b00a95599af7a08ab8831b107_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ijdfg-gi.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC39EC.tmp"
    3⤵
    PID:4092
- C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
  "C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe"
  2⤵
  - Executes dropped EXE
  PID:1828

C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe
1⤵
- Executes dropped EXE
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES39ED.tmp

Filesize
1KB

MD5
252682616f8d75c51e568757f5636155

SHA1
6b2ffe559e42be27455d83d935286cf80c3b6f8a

SHA256
bf720fdc2403dbc98b6f56edfb3812798e83eb2e1601602349f029ab8ab69ef5

SHA512
86b4c6beff6ba1ab784fb4e66bc6f0292a46815ff90b3b3ddcdac4bbfd5bb5b63dd277789230c356db6536ffe6bf54d08a3b571e1499d5587b55a7e17db1290f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ijdfg-gi.dll

Filesize
76KB

MD5
6db1f41cf5fed67881c4901ffe0c6235

SHA1
8789509746ca1f809b9a4aa525498afa5ee16c0d

SHA256
ef758cd14e7d669333b47032d4298ec2d3dd8f45bd42f2f07d28c5c8b0996cf2

SHA512
dfdeb1045b2f2ad55b3a375efa3c9933bfae9d41b513145a04e3ab163de06feca5502bb5dade6698a366b0c076aa89983e28565421407b0139eb071617e79bef

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe

Filesize
911KB

MD5
aaa90b0b00a95599af7a08ab8831b107

SHA1
9686d3bcb057d151971d9e4dab389e06612773af

SHA256
bc3966ff969270ad721bf288117b0971336da9da9fc97694aa2d623c8c5aed71

SHA512
9b260a04866c0748532bfecccaca1706cec12d0192585c9bdbb3f8f1dd137feb84e13b70d262754896230f9818e6c5385e8261e3f473901797c585e6e7fc6cd3

Download Submit
C:\Users\Admin\AppData\Roaming\Discord\DiscordService.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC39EC.tmp

Filesize
676B

MD5
0f1a07e29600237c4b3b528262db60f0

SHA1
e35464946c82ddb4fac26211f718e9a04200a7aa

SHA256
de97910d8dd916cd6e09f70e1283f18f6d302c0103489381a3e41770d795dbec

SHA512
05a4a38adcca87e4813adcde82f375db749ab9f31df7b0538fbce00eca27893aa20d179667f081f873ab656afaefdbb6a27e13ddb0c0e68921cccee9ddecb198

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijdfg-gi.0.cs

Filesize
208KB

MD5
a29bea3fe5ac94a38f232c2255ba58c6

SHA1
b525326f469057df719876b53035bde4d1bb45bf

SHA256
2cff930f6e9c1cab3788b5db68594ce962b70e4dde939ac36cf8b15b986e39d4

SHA512
df34be002279f063af2e7d2bfaefb1f7c8c747b4a0e61ae5637b8a414a1627cff89a14e86f0f300db6da108c070025680029241333307abe55477f351e94befb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ijdfg-gi.cmdline

Filesize
349B

MD5
8085ae8359fd852e5f17b916339aa7ce

SHA1
5fe5db12cd55242059c41e0a78d8d0eab4b4f0f8

SHA256
b7915d531a8ff6374038074eeffe495f3ff69f69e4ded4ef1a604bf5539730f8

SHA512
64ee6ebdeda2a107f96f5237e345bc5c07df6c78599eadce9dbcd511c97459ac8d7a33d667e40a7326d6453a576d406e12f530554d8a8851d923bc42a10b9c0e

Download Submit
memory/1828-43-0x00000000002B0000-0x0000000000398000-memory.dmp

Filesize
928KB

Download
memory/1828-44-0x0000000000B80000-0x0000000000B92000-memory.dmp

Filesize
72KB

Download
memory/1828-40-0x00007FFA6C8A3000-0x00007FFA6C8A5000-memory.dmp

Filesize
8KB

Download
memory/1828-45-0x0000000000BA0000-0x0000000000BEE000-memory.dmp

Filesize
312KB

Download
memory/1828-47-0x000000001AFA0000-0x000000001AFB8000-memory.dmp

Filesize
96KB

Download
memory/1828-48-0x000000001AFC0000-0x000000001AFD0000-memory.dmp

Filesize
64KB

Download
memory/1828-50-0x00007FFA6C8A3000-0x00007FFA6C8A5000-memory.dmp

Filesize
8KB

Download
memory/2556-21-0x00007FFA6FBF0000-0x00007FFA70591000-memory.dmp

Filesize
9.6MB

Download
memory/2556-14-0x00007FFA6FBF0000-0x00007FFA70591000-memory.dmp

Filesize
9.6MB

Download
memory/4608-25-0x000000001B4B0000-0x000000001B4C2000-memory.dmp

Filesize
72KB

Download
memory/4608-23-0x000000001C860000-0x000000001C876000-memory.dmp

Filesize
88KB

Download
memory/4608-0-0x00007FFA6FEA5000-0x00007FFA6FEA6000-memory.dmp

Filesize
4KB

Download
memory/4608-42-0x00007FFA6FBF0000-0x00007FFA70591000-memory.dmp

Filesize
9.6MB

Download
memory/4608-8-0x000000001C230000-0x000000001C2CC000-memory.dmp

Filesize
624KB

Download
memory/4608-7-0x000000001BCC0000-0x000000001C18E000-memory.dmp

Filesize
4.8MB

Download
memory/4608-6-0x00007FFA6FBF0000-0x00007FFA70591000-memory.dmp

Filesize
9.6MB

Download
memory/4608-5-0x000000001B740000-0x000000001B74E000-memory.dmp

Filesize
56KB

Download
memory/4608-2-0x000000001B5A0000-0x000000001B5FC000-memory.dmp

Filesize
368KB

Download
memory/4608-1-0x00007FFA6FBF0000-0x00007FFA70591000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing