General
-
Target
b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118
-
Size
1.5MB
-
Sample
240617-hftvwayekh
-
MD5
b73c62ae01e5afb4e6f9295663d6e4d7
-
SHA1
4bc872c0d89e5790de2f8d531d1c940714a6749c
-
SHA256
83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
-
SHA512
89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
-
SSDEEP
24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm
Static task
static1
Behavioral task
behavioral1
Sample
b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
Resource
win7-20240611-en
Malware Config
Extracted
orcus
88.150.189.98:9989
888d0d2baff647a0a0872845c71c5fc6
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%appdata%\AudioDriver\AudoDriver.exe
-
reconnect_delay
10000
-
registry_keyname
AudioDriver
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118
-
Size
1.5MB
-
MD5
b73c62ae01e5afb4e6f9295663d6e4d7
-
SHA1
4bc872c0d89e5790de2f8d531d1c940714a6749c
-
SHA256
83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
-
SHA512
89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
-
SSDEEP
24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Drops desktop.ini file(s)
-
Suspicious use of SetThreadContext
-