General
-
Target
3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118
-
Size
915KB
-
Sample
240712-xfhj6sxgpd
-
MD5
3e76b62f8107c6b2b18ddd1647ae3435
-
SHA1
4e9debcc3392895a5157c6dd7b737a5fcac15ea3
-
SHA256
62df9dcd9017a57bfce1c0186a89ee58e1d7c16e844fa09199f5f5870a0f025d
-
SHA512
dc6480198ee0cf1b71b8b8bf89768272fc7177658ae4f411348b80ac99c852784152f5fcbeb27d87ae2b8eaeabeb1ee10d4f85487b7da92e8bfc606527e2fff6
-
SSDEEP
24576:dsw4MROxnFD35EsYxrZlI0AilFEvxHiJ2u:dsTMiJArZlI0AilFEvxHiJ
Behavioral task
behavioral1
Sample
3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118.exe
Resource
win10v2004-20240709-en
Malware Config
Extracted
orcus
rage
f.zapto.org:1337
33fe8bf2eb45443293e1cbf8df6864c2
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%localappdata%\Microsoft\Defender\Logs
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
OneDrive Update
-
watchdog_path
Temp\OneDrive.exe
Targets
-
-
Target
3e76b62f8107c6b2b18ddd1647ae3435_JaffaCakes118
-
Size
915KB
-
MD5
3e76b62f8107c6b2b18ddd1647ae3435
-
SHA1
4e9debcc3392895a5157c6dd7b737a5fcac15ea3
-
SHA256
62df9dcd9017a57bfce1c0186a89ee58e1d7c16e844fa09199f5f5870a0f025d
-
SHA512
dc6480198ee0cf1b71b8b8bf89768272fc7177658ae4f411348b80ac99c852784152f5fcbeb27d87ae2b8eaeabeb1ee10d4f85487b7da92e8bfc606527e2fff6
-
SSDEEP
24576:dsw4MROxnFD35EsYxrZlI0AilFEvxHiJ2u:dsTMiJArZlI0AilFEvxHiJ
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Drops desktop.ini file(s)
-
Drops file in System32 directory
-