orcus | fd2421c6582e3d7fcf917b7e3c24309e20731f828bdb8505076dafaf4cd9ee9e

General

Target

f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe
Size

905KB
MD5

f482f02149622205c6d5ed988aae617c
SHA1

8126947af7338744dc8c7f5ea9a17e9c20dd33dc
SHA256

fd2421c6582e3d7fcf917b7e3c24309e20731f828bdb8505076dafaf4cd9ee9e
SHA512

7b69d4f838c4275d0a73699ad35b7152abef34e75b13787e1a253b6a0f2c7826685e6484d8e32da4c6719e94da364a400396a0a5d751ee58a9c9ff66cadce4e5
SSDEEP

12288:X0XCGPSX0zbyD+ndg+QCImGYUl9qyzlkE2kUNCl/2Nr6BNRCpepD25r7dG1lFlWM:ApP4MROxnFMOVrrcI0AilFEvxHPeoo0

Score

10^/10

orcus aa discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

aa

C2

75.23.178.95:214

Mutex

17e765930f6d487aae82933122a74df7

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\Orcus\Orcus.exe
reconnect_delay
10000
registry_keyname
Registry.
taskscheduler_taskname
Registry
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

Processes:

resource	yara_rule
\Program Files (x86)\Orcus\Orcus.exe	family_orcus

Orcurs Rat Executable 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2948-1-0x0000000000EE0000-0x0000000000FC8000-memory.dmp	orcus
\Program Files (x86)\Orcus\Orcus.exe	orcus
behavioral1/memory/3004-18-0x0000000000030000-0x0000000000118000-memory.dmp	orcus

Executes dropped EXE 2 IoCs

Processes:

Orcus.exeOrcus.exe

pid process

3004 Orcus.exe
2740 Orcus.exe
Loads dropped DLL 1 IoCs

Processes:

f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe

pid process

2948 f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe

pid	process
3004	Orcus.exe
2740	Orcus.exe

pid	process
2948	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Orcus.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry. = "\"C:\\Program Files (x86)\\Orcus\\Orcus.exe\""	Orcus.exe

Drops file in Program Files directory 3 IoCs

Processes:

f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\Orcus\Orcus.exe	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Orcus\Orcus.exe	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe
File created	C:\Program Files (x86)\Orcus\Orcus.exe.config	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

f482f02149622205c6d5ed988aae617c_JaffaCakes118.exeOrcus.exeOrcus.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Orcus.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

Orcus.exe

pid process

3004 Orcus.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

Orcus.exe

pid process

3004 Orcus.exe

pid	process
3004	Orcus.exe

pid	process
3004	Orcus.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

f482f02149622205c6d5ed988aae617c_JaffaCakes118.exetaskeng.exe

description	pid	process	target process
PID 2948 wrote to memory of 3004	2948	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe	Orcus.exe
PID 2948 wrote to memory of 3004	2948	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe	Orcus.exe
PID 2948 wrote to memory of 3004	2948	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe	Orcus.exe
PID 2948 wrote to memory of 3004	2948	f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe	Orcus.exe
PID 2772 wrote to memory of 2740	2772	taskeng.exe	Orcus.exe
PID 2772 wrote to memory of 2740	2772	taskeng.exe	Orcus.exe
PID 2772 wrote to memory of 2740	2772	taskeng.exe	Orcus.exe
PID 2772 wrote to memory of 2740	2772	taskeng.exe	Orcus.exe

C:\Users\Admin\AppData\Local\Temp\f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f482f02149622205c6d5ed988aae617c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3004

C:\Windows\system32\taskeng.exe
taskeng.exe {003C2277-1F58-4253-9176-8F67D29B7B11} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Program Files (x86)\Orcus\Orcus.exe
  "C:\Program Files (x86)\Orcus\Orcus.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Orcus\Orcus.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Program Files (x86)\Orcus\Orcus.exe

Filesize
905KB

MD5
f482f02149622205c6d5ed988aae617c

SHA1
8126947af7338744dc8c7f5ea9a17e9c20dd33dc

SHA256
fd2421c6582e3d7fcf917b7e3c24309e20731f828bdb8505076dafaf4cd9ee9e

SHA512
7b69d4f838c4275d0a73699ad35b7152abef34e75b13787e1a253b6a0f2c7826685e6484d8e32da4c6719e94da364a400396a0a5d751ee58a9c9ff66cadce4e5

Download Submit
memory/2948-16-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-1-0x0000000000EE0000-0x0000000000FC8000-memory.dmp

Filesize
928KB

Download
memory/2948-2-0x00000000002F0000-0x00000000002FE000-memory.dmp

Filesize
56KB

Download
memory/2948-3-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/2948-4-0x0000000000740000-0x000000000079C000-memory.dmp

Filesize
368KB

Download
memory/2948-5-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2948-0-0x0000000074BEE000-0x0000000074BEF000-memory.dmp

Filesize
4KB

Download
memory/3004-17-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-18-0x0000000000030000-0x0000000000118000-memory.dmp

Filesize
928KB

Download
memory/3004-21-0x0000000004700000-0x000000000474E000-memory.dmp

Filesize
312KB

Download
memory/3004-20-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download
memory/3004-19-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/3004-22-0x00000000020A0000-0x00000000020B8000-memory.dmp

Filesize
96KB

Download
memory/3004-23-0x0000000002110000-0x0000000002120000-memory.dmp

Filesize
64KB

Download
memory/3004-25-0x0000000074BE0000-0x00000000752CE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads