orcus | b3f6aea2a38444bce16dca8a8ee5e8e34bfac373f265d9fba48ae9cc8e98d509

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-08-2024 08:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
Size

4.0MB
MD5

a1ec8b5553c1d4a8608cc48bdcdbfee3
SHA1

7518b6aeedf0c08b4657d35c2e7ae40db4ca56e8
SHA256

b3f6aea2a38444bce16dca8a8ee5e8e34bfac373f265d9fba48ae9cc8e98d509
SHA512

86ba03e934d5c4a625cf75cd85450227c7360e326b9478629cb2d6c570ba8746ee818446a85d4c163ae331440adca9103d52fff68b18669794c2f48079d68aef
SSDEEP

98304:+viz/27qWGq/TzuqCDl2Ptao7jpMM9uDvb45NytprUNi:+viq75/TzufVjf0cGNi

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023460-35.dat	family_orcus

Orcurs Rat Executable 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023460-35.dat	orcus

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	CDS.exe

Executes dropped EXE 2 IoCs

pid	Process
4076	CDS.exe
708	crypted.exe

Loads dropped DLL 1 IoCs

pid	Process
4076	CDS.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	crypted.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	crypted.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	crypted.exe
File created	C:\Windows\assembly\Desktop.ini	crypted.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	crypted.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CDS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4076	CDS.exe
4076	CDS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4764	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4764	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4076	CDS.exe
4076	CDS.exe
708	crypted.exe
3980	csc.exe
4908	cvtres.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 4076	2396	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	85
PID 2396 wrote to memory of 4076	2396	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	85
PID 2396 wrote to memory of 4076	2396	a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe	85
PID 4076 wrote to memory of 708	4076	CDS.exe	89
PID 4076 wrote to memory of 708	4076	CDS.exe	89
PID 708 wrote to memory of 3980	708	crypted.exe	91
PID 708 wrote to memory of 3980	708	crypted.exe	91
PID 3980 wrote to memory of 4908	3980	csc.exe	93
PID 3980 wrote to memory of 4908	3980	csc.exe	93

C:\Users\Admin\AppData\Local\Temp\a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a1ec8b5553c1d4a8608cc48bdcdbfee3_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe
    "C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:708
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2uixjlbt.cmdline"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84DF.tmp"
        5⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4908

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x528
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2uixjlbt.dll

Filesize
76KB

MD5
38aec8ba0f7e0b9bc56cb6242cd318e0

SHA1
8177e54c9fbca27b639f39373fc21ed415d38e2c

SHA256
ec051d39c338ba8c759d0c25568cd4876c68ce4955aa8e5b1c9cfdb660ce7ff7

SHA512
ce42ea7d36e49b17c3ee362424ae59a400d8879d371928449d75ce86b655c38e0960fce94431d4b526871cddb8a3202185072a8fb061390890f261d182eca87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\630_10.png

Filesize
2KB

MD5
340b294efc691d1b20c64175d565ebc7

SHA1
81cb9649bd1c9a62ae79e781818fc24d15c29ce7

SHA256
72566894059452101ea836bbff9ede5069141eeb52022ab55baa24e1666825c9

SHA512
1395a8e175c63a1a1ff459a9dac437156c74299272e020e7e078a087969251a8534f17244a529acbc1b6800a97d4c0abfa3c88f6fcb88423f56dfaae9b49fc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.cdd

Filesize
13KB

MD5
3e7ecaeb51c2812d13b07ec852d74aaf

SHA1
e9bdab93596ffb0f7f8c65243c579180939acb26

SHA256
e7e942993864e8b18780ef10a415f7b93924c6378248c52f0c96895735222b96

SHA512
635cd5173b595f1905af9eeea65037601cf8496d519c506b6d082662d438c26a1bfe653eaf6edcb117ccf8767975c37ab0238ca4c77574e2706f9b238a15ad4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CDS.exe

Filesize
6.1MB

MD5
424bf196deaeb4ddcafb78e137fa560a

SHA1
007738e9486c904a3115daa6e8ba2ee692af58c8

SHA256
0963cef2f742a31b2604fe975f4471ae6a76641490fe60805db744fef9bdd5d2

SHA512
a9be6dd5b2ed84baea34e0f1b1e8f5388ce3662c5dcb6a80c2d175be95f9598312837420c07b52cdfaa9e94bcffd8c7a2b9db2b551dfac171bce4b92f466e797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\c.dat

Filesize
922KB

MD5
3dc482cedd933b8d8261a32da8338bd5

SHA1
42d90c8dcd94d85581e4584aadd06289f105717e

SHA256
0be03d028fe873715337cb6f1f563821c5236b2f3626c8d8747a676e56d60596

SHA512
ce349203c1cfbd38259778a8d6b9266c9a5c331ed68b39ffe6118d1e874b866ebeb9bc72faedc7a6ecd7f7874ed9322a8b05e39a33561c34fa75a778d5deec1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\crypted.exe

Filesize
922KB

MD5
6bf0baf79a748416f9f2b1c8e2d0ffce

SHA1
73c80be0c56711ee7b238d9482f91037d178205b

SHA256
f597c7bb98f495660d7cb188a487102dda75d9023a23a59fe21664986891f300

SHA512
ad1a91273f62b761a2ebeeb0c83f2b97adfa34ba2b72d12fa5ea6304b66ca465c30f5c20dbe2261a588bf74c1bc95af7eb41ed0f193870bf6015aecc3d414bf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\fs.settings

Filesize
5B

MD5
68934a3e9455fa72420237eb05902327

SHA1
7cb6efb98ba5972a9b5090dc2e517fe14d12cb04

SHA256
fcbcf165908dd18a9e49f7ff27810176db8e9f63b4352213741664245224f8aa

SHA512
719fa67eef49c4b2a2b83f0c62bddd88c106aaadb7e21ae057c8802b700e36f81fe3f144812d8b05d66dc663d908b25645e153262cf6d457aa34e684af9e328d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lua5.1.dll

Filesize
322KB

MD5
c3256800dce47c14acc83ccca4c3e2ac

SHA1
9d126818c66991dbc3813a65eddb88bbcf77f30a

SHA256
f26f4f66022acc96d0319c09814ebeda60f4ab96b63b6262045dc786dc7c5866

SHA512
6865a98ad8a6bd02d1ba35a28b36b6306af393f5e9ad767cd6da027bb021f7399d629423f510c44436ac3e4603b6c606493edf8b14d21fabf3eab16d37bd0d25

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES84E0.tmp

Filesize
1KB

MD5
a1397f243970cfec237b9ac10698f9a0

SHA1
1bfbf6ae1d6434dbabd894b17e130481d5512a47

SHA256
8d4a5f6b6e7b18eec755eebe30fecf0ecbc50f5c06a91351820177623c614865

SHA512
8bd3f5d09213f4dacc4d512c1b617dae3342e3b89f33edfe97e7bec5ebe2ef6699b587a0ae6aef0eccb53ad9c933bcdf76700cf77ea564f7a47770ea4696ae73

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2uixjlbt.0.cs

Filesize
208KB

MD5
55469394fe8b0109778e9c569f11fbe3

SHA1
b253a3139b508b7085c023f496afd60aeea592e5

SHA256
88db4cfab660b3e45cfc68d708b2a13f850d4f60713af3fc697d5871fac8b9b2

SHA512
f054995197bbd9de97f1c75dcd09ba5aedaca6e1e587ece2bf95860036afb0eb0334e650bc85f4be48364ef096b1138ec38892a16983ba9be35f286731ce8af2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\2uixjlbt.cmdline

Filesize
349B

MD5
8b6037bc1c437d3cde93f7830c6fd055

SHA1
102881cca7689ed60d623e3d33d876de6a65236e

SHA256
36e69c58bd042b09476009938b0bf422f7ed01ec169776aecaf7b9631c50f820

SHA512
221216fd51ea8de21013949a9d3cc227c31b380fa3ec1da629314f6f35914ca707e2e4ff9a292150112e9656b9bce6059d5ba2e8c298ffcad3c0746739a5ad64

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC84DF.tmp

Filesize
676B

MD5
971ecd145ea5a60b85d05110c3d88abb

SHA1
7bf55472773a8c116beac6f5e737c9c0cad67447

SHA256
52b6d9cee7ca108e227e736ef7810a3d07d4fc56cea1b1cbf375055d573c805b

SHA512
ffd41adbb3eae2af93ab3a596a32720f139ddc60d7c6a670f2470dc9afd4eb3d09462fe467f3f9f63353e2cf15c36291518288eeabfd81ede22f017800f3cac7

Download Submit
memory/708-47-0x000000001C1A0000-0x000000001C23C000-memory.dmp

Filesize
624KB

Download
memory/708-46-0x000000001BC30000-0x000000001C0FE000-memory.dmp

Filesize
4.8MB

Download
memory/708-45-0x000000001B720000-0x000000001B72E000-memory.dmp

Filesize
56KB

Download
memory/708-42-0x000000001B500000-0x000000001B55C000-memory.dmp

Filesize
368KB

Download
memory/708-60-0x000000001C840000-0x000000001C856000-memory.dmp

Filesize
88KB

Download
memory/708-62-0x00000000027A0000-0x00000000027B2000-memory.dmp

Filesize
72KB

Download
memory/708-63-0x0000000002570000-0x0000000002578000-memory.dmp

Filesize
32KB

Download
memory/708-64-0x0000000002580000-0x0000000002588000-memory.dmp

Filesize
32KB

Download