orcus | 83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
17-06-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
Size

1.5MB
MD5

b73c62ae01e5afb4e6f9295663d6e4d7
SHA1

4bc872c0d89e5790de2f8d531d1c940714a6749c
SHA256

83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
SHA512

89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
SSDEEP

24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

88.150.189.98:9989

Mutex

888d0d2baff647a0a0872845c71c5fc6

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\AudioDriver\AudoDriver.exe
reconnect_delay
10000
registry_keyname
AudioDriver
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/812-17-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/812-15-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/812-13-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/812-10-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/812-9-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

pid	Process
2468	AudoDriver.exe
2040	AudoDriver.exe

Loads dropped DLL 2 IoCs

pid	Process
812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
2468	AudoDriver.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1720 set thread context of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 2468 set thread context of 2040	2468	AudoDriver.exe	33

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	AudoDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2040	AudoDriver.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 1720 wrote to memory of 812	1720	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	28
PID 812 wrote to memory of 2668	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	29
PID 812 wrote to memory of 2668	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	29
PID 812 wrote to memory of 2668	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	29
PID 812 wrote to memory of 2668	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	29
PID 2668 wrote to memory of 2624	2668	csc.exe	31
PID 2668 wrote to memory of 2624	2668	csc.exe	31
PID 2668 wrote to memory of 2624	2668	csc.exe	31
PID 2668 wrote to memory of 2624	2668	csc.exe	31
PID 812 wrote to memory of 2468	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	32
PID 812 wrote to memory of 2468	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	32
PID 812 wrote to memory of 2468	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	32
PID 812 wrote to memory of 2468	812	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	32
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33
PID 2468 wrote to memory of 2040	2468	AudoDriver.exe	33

C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\07jkb4ur.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8D72.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8D61.tmp"
      4⤵
      PID:2624
- - C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe
    "C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe
      "C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\07jkb4ur.dll

Filesize
76KB

MD5
b49ee13803a059dc106819fb0e17dc4e

SHA1
d7377e9584d8ff63c38971fdb95cbf0219ae5158

SHA256
343b38e6c7e190fc9e55d108ae11f4907e0b4d9d22aee734ce9b2b9b74ab9131

SHA512
1b964be4300962495236c1f2f904b38bcf3c4b231e6ffe80030d51cef2c0185ebaa801d34e4821cf3a605ad9dcbc4115393ea0aeba556979758b079656aafb5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8D72.tmp

Filesize
1KB

MD5
40863728097409d39742d59663dfd2d0

SHA1
fcb1745390edef6ef58210d4f721bd5a4c4a092a

SHA256
58cf5e2d576295d50f173e4b1cbcdd5c0e59745052bbeb1bd4f0ee2d160964f2

SHA512
a64ccdc1f7ebd1468e5eb86b494eaf14bbdb85d2cff451cbf5d07a0d41c0159dd7e204147fc1e7917e973f0881fafa29d72ba64f0c544025347ab217aa48672f

Download Submit
C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\07jkb4ur.0.cs

Filesize
208KB

MD5
b6f8b90c68fd472ceddbe5fd499a65ea

SHA1
1e7682d308d0823924e4e8adbc85905ecdd70155

SHA256
5ffa73389a4ae7ff4bd8db70994f732da44970540ad95d5a28a01b28ed11e3d4

SHA512
b3ca780b879514061b305d46efbbeff16c5d77954130233ff118de3fa73b1416596c799481c1ab5d89a6a31f1383c89e0104b9312284cecd7dd84c0e9ed0147c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\07jkb4ur.cmdline

Filesize
347B

MD5
024089f6d3ce21520d2da573689f82ae

SHA1
8121ef239eb98bc3fd809ac914758657464a6763

SHA256
36ce14cfdda309befff54662b50946b81b4ce95eb8cc11a4f907c9177a47190d

SHA512
48f608ab75613624e315e63f2c6122910d4dde776b5198baa70d7c1c50177330b7203c02a2058906e9d614b1c6c6a584cc6797be85d4899c041255674c7e4c91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8D61.tmp

Filesize
676B

MD5
deefe610b557a902b203197815fb2f0b

SHA1
8c615c631e06b995d4db390e8b39fc43016756f6

SHA256
879708f4c476780b1324da46daa352e2f52569ced9b7f918decd1fbb6b1cc280

SHA512
789ef39f00dbc724368a5ced9c03992e20154ae97ef1242353782fe03ff692536ce793f1ac691224196bbaaf0c9c936d011bad17b43be4f855e6552b6ab4baab

Download Submit
\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe

Filesize
1.5MB

MD5
b73c62ae01e5afb4e6f9295663d6e4d7

SHA1
4bc872c0d89e5790de2f8d531d1c940714a6749c

SHA256
83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

SHA512
89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a

Download Submit
memory/812-19-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/812-17-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/812-15-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-21-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/812-20-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/812-13-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-10-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-9-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-7-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-5-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/812-45-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-18-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-2-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-1-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-0-0x0000000074621000-0x0000000074622000-memory.dmp

Filesize
4KB

Download
memory/1720-4-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/1720-3-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2040-64-0x0000000000230000-0x000000000023E000-memory.dmp

Filesize
56KB

Download
memory/2040-59-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2040-65-0x0000000000350000-0x00000000003AC000-memory.dmp

Filesize
368KB

Download
memory/2040-66-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2040-68-0x0000000000690000-0x00000000006A8000-memory.dmp

Filesize
96KB

Download
memory/2040-67-0x0000000001290000-0x00000000012DE000-memory.dmp

Filesize
312KB

Download
memory/2040-69-0x0000000000B90000-0x0000000000BA0000-memory.dmp

Filesize
64KB

Download
memory/2468-47-0x0000000001300000-0x000000000147E000-memory.dmp

Filesize
1.5MB

Download
memory/2468-48-0x0000000006430000-0x0000000006580000-memory.dmp

Filesize
1.3MB

Download
memory/2468-49-0x00000000004A0000-0x00000000004A8000-memory.dmp

Filesize
32KB

Download
memory/2668-34-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download
memory/2668-27-0x0000000074620000-0x0000000074BCB000-memory.dmp

Filesize
5.7MB

Download