orcus | df9c59edbf0193a7dd056169d6430583_JaffaCakes118 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

df9c59edbf0193a7dd056169d6430583_JaffaCakes118
Size

910KB
MD5

df9c59edbf0193a7dd056169d6430583
SHA1

75614bd0532c39f436f58f7cd438b203109b2c70
SHA256

364e724220241d26ecba8d715464c7a911adac345442a0ea770f72408e2b6536
SHA512

3a489ff84c3c3f4abfa7907881fd19feb552eb2d69316756cc148b5f94b216ca1ce938c702c336c8b904160c0c0a431db3c7cc1489f740fb9b465f9687409424
SSDEEP

24576:R1X4MROxnFf3Jz9rrcI0AilFEvxHPBMoooi:R+MidHrrcI0AilFEvxHPBM

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

5.83.161.4:10134

Mutex

39c73b35086c452fa2e49add91307588

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%USERPROFILE%\.temp\Edge\cache\js\js.exe
reconnect_delay
10000
registry_keyname
Orcus
taskscheduler_taskname
Orcus
watchdog_path
AppData\OneDrive.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
df9c59edbf0193a7dd056169d6430583_JaffaCakes118

Files

df9c59edbf0193a7dd056169d6430583_JaffaCakes118
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_HIGH_ENTROPY_VA
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 905KB - Virtual size: 905KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ