General

  • Target

    312b1128674c976d45ff0478778a9fdb_JaffaCakes118

  • Size

    4.0MB

  • Sample

    240709-t719tavfne

  • MD5

    312b1128674c976d45ff0478778a9fdb

  • SHA1

    305f6f76c5cd03d74254b8c98db2d05d216711e2

  • SHA256

    1035139c84fdc031163e49fc0f46a46dc7ab0aaf582d72997b91fde6d350d78b

  • SHA512

    8e9d256af4cd151874c08a477eb6e92ec5ff8d2ceaf3031ab58e7f738f2ff0b3a27239e2e8c918cc021d744a17d012a56d55013db87d6cc982338391c0f01b78

  • SSDEEP

    98304:uviz/27qWGq/TzuqCDl2Ptao7jPnKv4revaIf5DWOSiNc:uviq75/Tzuf8evac5qSNc

Malware Config

Extracted

Family

orcus

C2

127.0.0.1:1111

Mutex

c8accabdde3b4ed1972285dab60d7660

Attributes
  • autostart_method

    Registry

  • enable_keylogger

    true

  • install_path

    %programfiles%\ORK\ORK_AntiMalware10.exe

  • reconnect_delay

    10000

  • registry_keyname

    ORK_AntM10

  • taskscheduler_taskname

    ORK_AntM10

  • watchdog_path

    AppData\ORK_WatchD10.exe

Targets

    • Target

      312b1128674c976d45ff0478778a9fdb_JaffaCakes118

    • Size

      4.0MB

    • MD5

      312b1128674c976d45ff0478778a9fdb

    • SHA1

      305f6f76c5cd03d74254b8c98db2d05d216711e2

    • SHA256

      1035139c84fdc031163e49fc0f46a46dc7ab0aaf582d72997b91fde6d350d78b

    • SHA512

      8e9d256af4cd151874c08a477eb6e92ec5ff8d2ceaf3031ab58e7f738f2ff0b3a27239e2e8c918cc021d744a17d012a56d55013db87d6cc982338391c0f01b78

    • SSDEEP

      98304:uviz/27qWGq/TzuqCDl2Ptao7jPnKv4revaIf5DWOSiNc:uviq75/Tzuf8evac5qSNc

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

MITRE ATT&CK Enterprise v15

Tasks