orcus | b3f6aea2a38444bce16dca8a8ee5e8e34bfac373f265d9fba48ae9cc8e98d509

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
17/08/2024, 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
Size

4.0MB
MD5

a1ec8b5553c1d4a8608cc48bdcdbfee3
SHA1

7518b6aeedf0c08b4657d35c2e7ae40db4ca56e8
SHA256

b3f6aea2a38444bce16dca8a8ee5e8e34bfac373f265d9fba48ae9cc8e98d509
SHA512

86ba03e934d5c4a625cf75cd85450227c7360e326b9478629cb2d6c570ba8746ee818446a85d4c163ae331440adca9103d52fff68b18669794c2f48079d68aef
SSDEEP

98304:+viz/27qWGq/TzuqCDl2Ptao7jpMM9uDvb45NytprUNi:+viq75/TzufVjf0cGNi

Score

10^/10

orcus klaiet discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

KLAIET

127.0.0.1:1111

Mutex

84015be7292c428081db1c06a27ad79a

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\ORK_Kriska\ORK.exe
reconnect_delay
10000
registry_keyname
ORK
taskscheduler_taskname
ORK
watchdog_path
Temp\ORK_WatchDG.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019557-37.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral1/files/0x0005000000019557-37.dat	orcus

Executes dropped EXE 2 IoCs

pid	Process
2504	CDS.exe
2868	crypted.exe

Loads dropped DLL 8 IoCs

pid	Process
2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
2504	CDS.exe
2504	CDS.exe
2504	CDS.exe
2504	CDS.exe
2504	CDS.exe
2504	CDS.exe
2504	CDS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDS.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	CDS.exe
2504	CDS.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2504	CDS.exe
2504	CDS.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2524 wrote to memory of 2504	2524	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	30
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2504 wrote to memory of 2868	2504	CDS.exe	31
PID 2868 wrote to memory of 2600	2868	crypted.exe	32
PID 2868 wrote to memory of 2600	2868	crypted.exe	32
PID 2868 wrote to memory of 2600	2868	crypted.exe	32
PID 2868 wrote to memory of 2600	2868	crypted.exe	32
PID 2868 wrote to memory of 2600	2868	crypted.exe	32
PID 2600 wrote to memory of 3012	2600	csc.exe	34
PID 2600 wrote to memory of 3012	2600	csc.exe	34
PID 2600 wrote to memory of 3012	2600	csc.exe	34
PID 2600 wrote to memory of 3012	2600	csc.exe	34
PID 2600 wrote to memory of 3012	2600	csc.exe	34

C:\Users\Admin\AppData\Local\Temp\a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ai1ncue2.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB3E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB3D.tmp"
        5⤵
        
        PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
922KB

MD5
3dc482cedd933b8d8261a32da8338bd5

SHA1
42d90c8dcd94d85581e4584aadd06289f105717e

SHA256
0be03d028fe873715337cb6f1f563821c5236b2f3626c8d8747a676e56d60596

SHA512
ce349203c1cfbd38259778a8d6b9266c9a5c331ed68b39ffe6118d1e874b866ebeb9bc72faedc7a6ecd7f7874ed9322a8b05e39a33561c34fa75a778d5deec1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAB3E.tmp

Filesize
1KB

MD5
097c0105f44ae9a5b3e18cfa135f512a

SHA1
972c14ebeeeeb58d46e4ff3396dd58af34278f25

SHA256
096ee0214017cead904c09ab4880ae6d4f470634fd57da74af5b71727859ed54

SHA512
39e31792efa75dd3c8cfdd3ef3c8969a4d780bb48728bd94c9af409def0e3f36628a6f2755b6c40905bf39e8e7ab3794c13b6e7386c4c27c0a6f1d76ec8cfcdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ai1ncue2.dll

Filesize
76KB

MD5
c9eeb9805bed5118c9d47e34cf7ff819

SHA1
e4fc2271df9d6dbb40f16e332572a17966f35b5d

SHA256
b92386f55c71e006b4afede88e41c97485ab3aed92dbbb22babd5559f4a881e3

SHA512
3f055f84dc8b689a2858b0108844d25cfaedbff215992ceae810a1635e210032adf5ec47a375c98a697779195894760087051682a399d8a0de7e9c7b05888e75

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAB3D.tmp

Filesize
676B

MD5
d0ea74c7b02ca996045574875a5c7f46

SHA1
96607e4fc1d96eaf7e5929b9e7fe00a5bd1730e3

SHA256
aa8ed60a57952ac6d150688ce860d953455e6585d77e272c4bf810d5d257d1aa

SHA512
6a8d4215741f1b49846e5b76ffab00a808a9c772df2812011601fd2148b6b285a0025fe36aa536345ecd95f2ef0e50511710c8711c785367bab37acf2205e7bc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ai1ncue2.0.cs

Filesize
208KB

MD5
2b14ae8b54d216abf4d228493ceca44a

SHA1
d134351498e4273e9d6391153e35416bc743adef

SHA256
4e1cc3da1f7bf92773aae6cffa6d61bfc3e25aead3ad947f6215f93a053f346c

SHA512
5761b605add10ae3ef80f3b8706c8241b4e8abe4ac3ce36b7be8a97d08b08da5a72fedd5e976b3c9e1c463613a943ebb5d323e6a075ef6c7c3b1abdc0d53ac05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ai1ncue2.cmdline

Filesize
349B

MD5
1cfc3fe111708048310f43d020fcb9a9

SHA1
fdabce95204d0b128b3a28c48acf8df46d1779a0

SHA256
706924d02e97b96d7cdfb90d514d21a76b96723b965edec9362c2e9af4b1bd8b

SHA512
002977add3df5f91d5ff73543bb7c402c23b53265bddc9a9fdee90f7789d5978613c9f8f4c9ea537f50abb1b8be0f687888dac8ce00dc4df47796dd0d934acbd

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
922KB

MD5
6bf0baf79a748416f9f2b1c8e2d0ffce

SHA1
73c80be0c56711ee7b238d9482f91037d178205b

SHA256
f597c7bb98f495660d7cb188a487102dda75d9023a23a59fe21664986891f300

SHA512
ad1a91273f62b761a2ebeeb0c83f2b97adfa34ba2b72d12fa5ea6304b66ca465c30f5c20dbe2261a588bf74c1bc95af7eb41ed0f193870bf6015aecc3d414bf6

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
memory/2868-50-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2868-49-0x00000000007E0000-0x000000000083C000-memory.dmp

Filesize
368KB

Download
memory/2868-63-0x0000000000860000-0x0000000000876000-memory.dmp

Filesize
88KB

Download
memory/2868-65-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2868-66-0x00000000006B0000-0x00000000006B8000-memory.dmp

Filesize
32KB

Download