orcus

General

Target

c33762fe5120bcdcfdb56c4a0d8126e2_JaffaCakes118
Size

1.2MB
Sample

240826-r5raqa1ajm
MD5

c33762fe5120bcdcfdb56c4a0d8126e2
SHA1

61c60c3bbbcc2cf193ac9fff49e597bf434ae411
SHA256

3360c8f07e4ce26cb16bbc656980f531dc60e6ea328bbcf2beaca78d977d7e89
SHA512

6b02d024b71e21f3448cc5e9cd7e3b056766fb1571c64f4957986dedb3822bb926ed2a2403ba37ead24f9205af95fb6acdfee7eb895e2d7485a36fc5ad6fbd9c
SSDEEP

24576:88YIIIIf1OOoPIz+sSvJ+moGlpzCwYuO61TlLdT40DLK/k5aBwO:8yPIG9oGZW

Score

10^/10

Malware Config

Extracted

Family

orcus

C2

81.92.202.149

Mutex

2c31f355cfb24cada19a7e48f314db0a

Attributes

administration_rights_required
false
anti_debugger
false
anti_tcp_analyzer
false
antivm
false
autostart_method
1
change_creation_date
false
force_installer_administrator_privileges
false
hide_file
false
install
false
installation_folder
%appdata%\Microsoft\Speech\AudioDriver.exe
installservice
false
keylogger_enabled
false
newcreationdate
01/17/2018 11:21:17
plugins
AgEAAA==
reconnect_delay
10000
registry_autostart_keyname
Audio HD Driver
registry_hidden_autostart
false
set_admin_flag
false
tasksch_name
Audio HD Driver
tasksch_request_highest_privileges
false
try_other_autostart_onfail
false

aes.plain

Targets

- Target
  
  c33762fe5120bcdcfdb56c4a0d8126e2_JaffaCakes118
- Size
  
  1.2MB
- MD5
  
  c33762fe5120bcdcfdb56c4a0d8126e2
- SHA1
  
  61c60c3bbbcc2cf193ac9fff49e597bf434ae411
- SHA256
  
  3360c8f07e4ce26cb16bbc656980f531dc60e6ea328bbcf2beaca78d977d7e89
- SHA512
  
  6b02d024b71e21f3448cc5e9cd7e3b056766fb1571c64f4957986dedb3822bb926ed2a2403ba37ead24f9205af95fb6acdfee7eb895e2d7485a36fc5ad6fbd9c
- SSDEEP
  
  24576:88YIIIIf1OOoPIz+sSvJ+moGlpzCwYuO61TlLdT40DLK/k5aBwO:8yPIG9oGZW
Score

10^/10

orcus discovery rat spyware stealer
- Orcus
  Orcus is a Remote Access Trojan that is being sold on underground forums.
  rat spyware stealer orcus
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

Sharing

General

Malware Config

Extracted

Targets

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks

static1

behavioral1

behavioral2