General
-
Target
e8e5114392d102b3bd444738f6d3d3d4_JaffaCakes118
-
Size
627KB
-
Sample
240918-mbhdhavfra
-
MD5
e8e5114392d102b3bd444738f6d3d3d4
-
SHA1
dc6b04a59e4ae55ee324c07ea052c90ed57e9f45
-
SHA256
08e6c17c9d5945a005797e3abcbf9b2a656b4cd06d319a6f08941f02a85d4567
-
SHA512
0ab0786ad04f10f83167c961a8e99bf8ca337b5fd0be6d4bdc5dba96028a05aae5ac6d37cb412ccce4cc98a9877ca4a14fcdd32358ee9753a045991c49a5fb21
-
SSDEEP
12288:XRuGWAoOmoh4crtXdHzf/64cnndRRoNKBN9A+ruoqpoK6jl4qYn5biUY2Hiu:Bul1O/h/rtNHzf/64yaKzjrip6J4qrZ6
Malware Config
Extracted
orcus
NewStart
doddyfire.dyndns.org:10134
e3a681f1b3d044cfa729b62b59e822e2
-
autostart_method
Disable
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
e8e5114392d102b3bd444738f6d3d3d4_JaffaCakes118
-
Size
627KB
-
MD5
e8e5114392d102b3bd444738f6d3d3d4
-
SHA1
dc6b04a59e4ae55ee324c07ea052c90ed57e9f45
-
SHA256
08e6c17c9d5945a005797e3abcbf9b2a656b4cd06d319a6f08941f02a85d4567
-
SHA512
0ab0786ad04f10f83167c961a8e99bf8ca337b5fd0be6d4bdc5dba96028a05aae5ac6d37cb412ccce4cc98a9877ca4a14fcdd32358ee9753a045991c49a5fb21
-
SSDEEP
12288:XRuGWAoOmoh4crtXdHzf/64cnndRRoNKBN9A+ruoqpoK6jl4qYn5biUY2Hiu:Bul1O/h/rtNHzf/64yaKzjrip6J4qrZ6
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-