General

  • Target

    b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118

  • Size

    1.5MB

  • Sample

    240617-hftvwayekh

  • MD5

    b73c62ae01e5afb4e6f9295663d6e4d7

  • SHA1

    4bc872c0d89e5790de2f8d531d1c940714a6749c

  • SHA256

    83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

  • SHA512

    89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a

  • SSDEEP

    24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm

Malware Config

Extracted

Family

orcus

C2

88.150.189.98:9989

Mutex

888d0d2baff647a0a0872845c71c5fc6

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %appdata%\AudioDriver\AudoDriver.exe

  • reconnect_delay

    10000

  • registry_keyname

    AudioDriver

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118

    • Size

      1.5MB

    • MD5

      b73c62ae01e5afb4e6f9295663d6e4d7

    • SHA1

      4bc872c0d89e5790de2f8d531d1c940714a6749c

    • SHA256

      83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

    • SHA512

      89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a

    • SSDEEP

      24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks