General

  • Target

    3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118

  • Size

    915KB

  • Sample

    240712-xfhj6sxgpd

  • MD5

    3e76b62f8107c6b2b18ddd1647ae3435

  • SHA1

    4e9debcc3392895a5157c6dd7b737a5fcac15ea3

  • SHA256

    62df9dcd9017a57bfce1c0186a89ee58e1d7c16e844fa09199f5f5870a0f025d

  • SHA512

    dc6480198ee0cf1b71b8b8bf89768272fc7177658ae4f411348b80ac99c852784152f5fcbeb27d87ae2b8eaeabeb1ee10d4f85487b7da92e8bfc606527e2fff6

  • SSDEEP

    24576:dsw4MROxnFD35EsYxrZlI0AilFEvxHiJ2u:dsTMiJArZlI0AilFEvxHiJ

Malware Config

Extracted

Family

orcus

Botnet

rage

C2

f.zapto.org:1337

Mutex

33fe8bf2eb45443293e1cbf8df6864c2

Attributes
  • autostart_method

    TaskScheduler

  • enable_keylogger

    true

  • install_path

    %localappdata%\Microsoft\Defender\Logs

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    OneDrive Update

  • watchdog_path

    Temp\OneDrive.exe

Targets

    • Target

      3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118

    • Size

      915KB

    • MD5

      3e76b62f8107c6b2b18ddd1647ae3435

    • SHA1

      4e9debcc3392895a5157c6dd7b737a5fcac15ea3

    • SHA256

      62df9dcd9017a57bfce1c0186a89ee58e1d7c16e844fa09199f5f5870a0f025d

    • SHA512

      dc6480198ee0cf1b71b8b8bf89768272fc7177658ae4f411348b80ac99c852784152f5fcbeb27d87ae2b8eaeabeb1ee10d4f85487b7da92e8bfc606527e2fff6

    • SSDEEP

      24576:dsw4MROxnFD35EsYxrZlI0AilFEvxHiJ2u:dsTMiJArZlI0AilFEvxHiJ

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

    • Orcus main payload

    • Orcurs Rat Executable

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Drops desktop.ini file(s)

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks