orcus | 83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

General

Target

b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
Size

1.5MB
MD5

b73c62ae01e5afb4e6f9295663d6e4d7
SHA1

4bc872c0d89e5790de2f8d531d1c940714a6749c
SHA256

83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa
SHA512

89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a
SSDEEP

24576:1IQwzFQMJFFSzlCqGv5pUDH+RMRQtPO5Xj9snGmUqf/yj2RCSGux9pYYwqF:uQ96IGBxRs22VSnGmUqCqnxrYm

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

C2

88.150.189.98:9989

Mutex

888d0d2baff647a0a0872845c71c5fc6

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%appdata%\AudioDriver\AudoDriver.exe
reconnect_delay
10000
registry_keyname
AudioDriver
taskscheduler_taskname
Orcus
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/memory/1556-50-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
2388	AudoDriver.exe
1556	AudoDriver.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1748 set thread context of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 2388 set thread context of 1556	2388	AudoDriver.exe	89

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	AudoDriver.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1556	AudoDriver.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1748 wrote to memory of 1092	1748	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	84
PID 1092 wrote to memory of 5048	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	85
PID 1092 wrote to memory of 5048	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	85
PID 1092 wrote to memory of 5048	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	85
PID 5048 wrote to memory of 1812	5048	csc.exe	87
PID 5048 wrote to memory of 1812	5048	csc.exe	87
PID 5048 wrote to memory of 1812	5048	csc.exe	87
PID 1092 wrote to memory of 2388	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	88
PID 1092 wrote to memory of 2388	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	88
PID 1092 wrote to memory of 2388	1092	b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe	88
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89
PID 2388 wrote to memory of 1556	2388	AudoDriver.exe	89

C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\djtmpzlf.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4E9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4E9D.tmp"
      4⤵
      PID:1812
- - C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe
    "C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe
      "C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\b73c62ae01e5afb4e6f9295663d6e4d7_JaffaCakes118.exe.log

Filesize
496B

MD5
cb76b18ebed3a9f05a14aed43d35fba6

SHA1
836a4b4e351846fca08b84149cb734cb59b8c0d6

SHA256
8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

SHA512
7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES4E9E.tmp

Filesize
1KB

MD5
109225f8374e54a66823c10d6d934b0b

SHA1
d12c4fd3ddd6a90d890422cf011ea6f6a7d90fff

SHA256
733d4b35ea0520f01e9e86a9daf6c43b4656080080072c64fcb3c122f7fbccd7

SHA512
ca45495621f41cdd4abb28993cc00040bc8c498c55bf121329a382cd88a83722d7a875dc967c1d7a5fa9615b5b1afcc468fa3cf88aab766c9b11e5d8ac6bacd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\djtmpzlf.dll

Filesize
76KB

MD5
49b6757fa822faad0bf25ecdc9a871a9

SHA1
8a64eec67545d92df5f36cbd1a2b396ffdc9afee

SHA256
d0ecf5de80afe95f6c454fea90c3e968b60c71a5dc02b8dc495011c810c22950

SHA512
ceaff2c273a2d26e3851797261603e71cc9942fb2d8575cb508b24b42adc9d36973fc210b2b6301f77a46676462f3dc56fb3f81c98ee75923f64de188bc5be44

Download Submit
C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe

Filesize
1.5MB

MD5
b73c62ae01e5afb4e6f9295663d6e4d7

SHA1
4bc872c0d89e5790de2f8d531d1c940714a6749c

SHA256
83e6a80db984b2ca27ad53fa4b5dbda611ac315eda9ddbcbe96067d3e15816fa

SHA512
89dc11c7f3d5aaf998adbb5e79e7cf1ef74bc9eb89809cfe3b485a4ef6c20982c8add263db64c5df3d38541cb51d58e6b37530da079cb425870349bc0836f24a

Download Submit
C:\Users\Admin\AppData\Roaming\AudioDriver\AudoDriver.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC4E9D.tmp

Filesize
676B

MD5
a631df23f5f0084bd260ca7766ad82a4

SHA1
4a15a30f607ecfc24dbada52cf361ce117382cdd

SHA256
e029fa78b0531b7e0f34787844f86435af87ff82c1d28f0a6f368611d2d1ad32

SHA512
75cde01fdfadace6ddfba74f72c8e8473b1d9e34e3767b5c383d022b8b52db2259dec1bf09ef57b06bf8d5ecaaf7d681e31202069f1323f0b0b990c0673bdc87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djtmpzlf.0.cs

Filesize
208KB

MD5
baacad55a67206aaaa62cd8d6604089f

SHA1
ce17cc9e1701bd3c354d6393646ec21643ad73bc

SHA256
a8d0a71c4f0e573b679d5a48d62b186bac97a16f3b56133a1195da1a7eb5907d

SHA512
eead297c6f10a7bf7cf20701632a2539761f4bc45f51fcff4b2ccc5728b9d85f6e36010e209b90ebc1220e17ee59b99fe8e79cf6349de51e596fdf3460089046

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\djtmpzlf.cmdline

Filesize
347B

MD5
58599bb798bb7ab939b92505b2b16047

SHA1
fd3b6015b8052ec78c65981beb1e4eada988c8bd

SHA256
082ae5562a67ad539448afd5c2a0878bf4794eb4af193d95a21cd027d18f02da

SHA512
e36925f207e99145c95b53da376786f41a11ef1684e5f091e7a78597289e419d425e89bc50c781aac873174054b8d05261c513df1f10613785e399f50f38e924

Download Submit
memory/1092-9-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1092-42-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1092-10-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1092-6-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1556-50-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1556-53-0x0000000004F40000-0x0000000004F9C000-memory.dmp

Filesize
368KB

Download
memory/1556-52-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

Filesize
56KB

Download
memory/1556-55-0x0000000005BA0000-0x0000000005BEE000-memory.dmp

Filesize
312KB

Download
memory/1556-56-0x0000000005BF0000-0x0000000005C08000-memory.dmp

Filesize
96KB

Download
memory/1556-57-0x0000000005F50000-0x0000000006112000-memory.dmp

Filesize
1.8MB

Download
memory/1556-54-0x00000000050D0000-0x00000000050E2000-memory.dmp

Filesize
72KB

Download
memory/1556-58-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/1748-12-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1748-0-0x0000000075172000-0x0000000075173000-memory.dmp

Filesize
4KB

Download
memory/1748-1-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1748-2-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1748-3-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/1748-4-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/2388-47-0x00000000086C0000-0x0000000008810000-memory.dmp

Filesize
1.3MB

Download
memory/2388-43-0x0000000000F90000-0x000000000110E000-memory.dmp

Filesize
1.5MB

Download
memory/2388-49-0x0000000005590000-0x0000000005598000-memory.dmp

Filesize
32KB

Download
memory/2388-48-0x0000000009DF0000-0x0000000009E8C000-memory.dmp

Filesize
624KB

Download
memory/2388-44-0x00000000061B0000-0x0000000006754000-memory.dmp

Filesize
5.6MB

Download
memory/2388-46-0x0000000005BB0000-0x0000000005BBA000-memory.dmp

Filesize
40KB

Download
memory/2388-45-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/5048-25-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download
memory/5048-18-0x0000000075170000-0x0000000075721000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing