orcus

General

Target

5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118
Size

8.0MB
Sample

240719-1tx4kavhla
MD5

5dd4c0fb60f349296f7d0323c4fffd68
SHA1

7df0abcd02c09b40776637bb7d24a1d53e8de1e5
SHA256

9b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
SHA512

828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
SSDEEP

384:G0qV0gPnGgKU1N6ZF4JJ9zYIQPA03DTx3e8ko7iopioMvcd01dQghOblQH5D/K/D:G0YCMhib

Score

10^/10

Malware Config

Extracted

Family

orcus

Botnet

Windows Update

C2

azxsdc.duckdns.org:54115

Mutex

3dce8870ca1f4ac8ad1ff166a6813d2e

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programfiles%\Windows\Update.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Windows Update
watchdog_path
AppData\Windows Update.exe

Targets

- Target
  
  5dd4c0fb60f349296f7d0323c4fffd68_JaffaCakes118
- Size
  
  8.0MB
- MD5
  
  5dd4c0fb60f349296f7d0323c4fffd68
- SHA1
  
  7df0abcd02c09b40776637bb7d24a1d53e8de1e5
- SHA256
  
  9b5ce68573217ab0bb483e06f03f8b8b43c410d3dc78ce9d742b90c88ae1b8e3
- SHA512
  
  828d6ad7ae9ff8c78c4efeecac181e7d96cede8eb7b3369372e591a431fedc62c38e0c24aa87ed2e2fa167b83ab1abefad0e11849ef49c5e361c750c09e94f4d
- SSDEEP
  
  384:G0qV0gPnGgKU1N6ZF4JJ9zYIQPA03DTx3e8ko7iopioMvcd01dQghOblQH5D/K/D:G0YCMhib
Score

10^/10

orcus windows update evasion execution persistence rat spyware stealer trojan
- Modifies WinLogon for persistence
  persistence
- Modifies Windows Defender Real-time Protection settings
  evasion trojan
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Turns off Windows Defender SpyNet reporting
  evasion
- Windows security bypass
  evasion trojan
- Looks for VirtualBox Guest Additions in registry
  evasion
- Orcurs Rat Executable
- Command and Scripting Interpreter: PowerShell
  Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
  execution
- Looks for VMWare Tools registry key
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Windows security modification
  evasion trojan
- Adds Run key to start application
  persistence
- Legitimate hosting services abused for malware hosting/C2
- Maps connected drives based on registry
  Disk information is often read in order to detect sandboxing environments.
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1 behavioral2