Overview

overview

10

Static

static

3

e0249e4226...18.exe

windows7-x64

10

e0249e4226...18.exe

windows10-2004-x64

7

Sharing

Copy URL
Twitter E-mail

General

  • Target

    e0249e422687e4b2cef9cd251a9ea0c9_JaffaCakes118

  • Size

    1.2MB

  • Sample

    240914-n76xeatbkd

  • MD5

    e0249e422687e4b2cef9cd251a9ea0c9

  • SHA1

    33ba532d68f786bca393dd1a6571e3a8f0966a0f

  • SHA256

    c6ebb937dc2838435fc5fb5117857910870ea3a94d64374a3a5ac61c983bcd4e

  • SHA512

    066604607908cc403e15cbcdf12f293fd8261c0726ba716cde646249ff477e2db0f29d0686ff95eef982a19b28ba3b13a1e4777c28eee042b922faf1056393d8

  • SSDEEP

    24576:cEoGAkFupwOQxFLRhgbRc8RhaBVf7CWchK1KFC6E:7TBuwnVh02O+GWcnF

Score
10/10
orcusdiscoveryratspywarestealer

Malware Config

Extracted

Family

orcus

C2

81.92.202.149

Mutex

2c31f355cfb24cada19a7e48f314db0a

Attributes
  • administration_rights_required

    false

  • anti_debugger

    false

  • anti_tcp_analyzer

    false

  • antivm

    false

  • autostart_method

    1

  • change_creation_date

    false

  • force_installer_administrator_privileges

    false

  • hide_file

    false

  • install

    false

  • installation_folder

    %appdata%\Microsoft\Speech\AudioDriver.exe

  • installservice

    false

  • keylogger_enabled

    false

  • newcreationdate

    01/17/2018 11:21:17

  • plugins

    AgEAAA==

  • reconnect_delay

    10000

  • registry_autostart_keyname

    Audio HD Driver

  • registry_hidden_autostart

    false

  • set_admin_flag

    false

  • tasksch_name

    Audio HD Driver

  • tasksch_request_highest_privileges

    false

  • try_other_autostart_onfail

    false

aes.plain

Targets

    • Target

      e0249e422687e4b2cef9cd251a9ea0c9_JaffaCakes118

    • Size

      1.2MB

    • MD5

      e0249e422687e4b2cef9cd251a9ea0c9

    • SHA1

      33ba532d68f786bca393dd1a6571e3a8f0966a0f

    • SHA256

      c6ebb937dc2838435fc5fb5117857910870ea3a94d64374a3a5ac61c983bcd4e

    • SHA512

      066604607908cc403e15cbcdf12f293fd8261c0726ba716cde646249ff477e2db0f29d0686ff95eef982a19b28ba3b13a1e4777c28eee042b922faf1056393d8

    • SSDEEP

      24576:cEoGAkFupwOQxFLRhgbRc8RhaBVf7CWchK1KFC6E:7TBuwnVh02O+GWcnF

    Score
    10/10
    orcusdiscoveryratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks