Extracted

• • Target

    f482f02149622205c6d5ed988aae617c_JaffaCakes118

  • Size

    905KB

  • MD5

    f482f02149622205c6d5ed988aae617c

  • SHA1

    8126947af7338744dc8c7f5ea9a17e9c20dd33dc

  • SHA256

    fd2421c6582e3d7fcf917b7e3c24309e20731f828bdb8505076dafaf4cd9ee9e

  • SHA512

    7b69d4f838c4275d0a73699ad35b7152abef34e75b13787e1a253b6a0f2c7826685e6484d8e32da4c6719e94da364a400396a0a5d751ee58a9c9ff66cadce4e5

  • SSDEEP

    12288:X0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCl/2Nr6BNRCpepD25r7dG1lFlWM:ApP4MROxnFMOVrrcI0AilFEvxHPeoo0

  Score

  10^/10

  orcusaadiscoverypersistenceratspywarestealer

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus

  • Orcus main payload

  • Orcurs Rat Executable

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence
  behavioral1behavioral2