orcus | cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-09-2024 14:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe
Size

918KB
MD5

fa8a33fb3bda39a4ca3cea2500c635b8
SHA1

47c0e3509a249d0d80716da3afe28b5fe765d225
SHA256

cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
SHA512

3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
SSDEEP

24576:F1I4MROxnFi3WUrUrZlI0AilFEvxHiSRX:F1rMioN4rZlI0AilFEvxHi

Score

10^/10

orcus discovery persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

87.103.252.59:25565

Mutex

7d661032d74f479fa6fca588ed3ac59f

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Steam\depotcache\SteamWebHelper.exe
reconnect_delay
5000
registry_keyname
Windows
taskscheduler_taskname
Windows
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018663-30.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000018663-30.dat	orcus
behavioral1/memory/2936-35-0x0000000000B30000-0x0000000000C1C000-memory.dmp	orcus

Executes dropped EXE 4 IoCs

pid	Process
2936	SteamWebHelper.exe
2552	SteamWebHelper.exe
2420	OrcusWatchdog.exe
1680	OrcusWatchdog.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "\"C:\\Program Files\\Steam\\depotcache\\SteamWebHelper.exe\""	SteamWebHelper.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Steam\depotcache\SteamWebHelper.exe	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe
File opened for modification	C:\Program Files\Steam\depotcache\SteamWebHelper.exe	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe
File created	C:\Program Files\Steam\depotcache\SteamWebHelper.exe.config	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OrcusWatchdog.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe
2936	SteamWebHelper.exe
1680	OrcusWatchdog.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	SteamWebHelper.exe
Token: SeDebugPrivilege	2420	OrcusWatchdog.exe
Token: SeDebugPrivilege	1680	OrcusWatchdog.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2936	SteamWebHelper.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2220	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2220	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	29
PID 2260 wrote to memory of 2220	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	29
PID 2220 wrote to memory of 272	2220	csc.exe	31
PID 2220 wrote to memory of 272	2220	csc.exe	31
PID 2220 wrote to memory of 272	2220	csc.exe	31
PID 2260 wrote to memory of 2936	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	33
PID 2260 wrote to memory of 2936	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	33
PID 2260 wrote to memory of 2936	2260	fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe	33
PID 2384 wrote to memory of 2552	2384	taskeng.exe	35
PID 2384 wrote to memory of 2552	2384	taskeng.exe	35
PID 2384 wrote to memory of 2552	2384	taskeng.exe	35
PID 2936 wrote to memory of 2420	2936	SteamWebHelper.exe	36
PID 2936 wrote to memory of 2420	2936	SteamWebHelper.exe	36
PID 2936 wrote to memory of 2420	2936	SteamWebHelper.exe	36
PID 2936 wrote to memory of 2420	2936	SteamWebHelper.exe	36
PID 2420 wrote to memory of 1680	2420	OrcusWatchdog.exe	37
PID 2420 wrote to memory of 1680	2420	OrcusWatchdog.exe	37
PID 2420 wrote to memory of 1680	2420	OrcusWatchdog.exe	37
PID 2420 wrote to memory of 1680	2420	OrcusWatchdog.exe	37

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\heajkhvt.cmdline"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES98D7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC98D6.tmp"
    3⤵
    PID:272
- C:\Program Files\Steam\depotcache\SteamWebHelper.exe
  "C:\Program Files\Steam\depotcache\SteamWebHelper.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
    "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Steam\depotcache\SteamWebHelper.exe" 2936 /protectFile
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe
      "C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Steam\depotcache\SteamWebHelper.exe" 2936 "/protectFile"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1680

C:\Windows\system32\taskeng.exe
taskeng.exe {6C9A2BE3-030A-4777-83FC-631242A3D66D} S-1-5-21-457978338-2990298471-2379561640-1000:WOUOSVRD\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Program Files\Steam\depotcache\SteamWebHelper.exe
  "C:\Program Files\Steam\depotcache\SteamWebHelper.exe"
  2⤵
  - Executes dropped EXE
  PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Steam\depotcache\SteamWebHelper.exe

Filesize
918KB

MD5
fa8a33fb3bda39a4ca3cea2500c635b8

SHA1
47c0e3509a249d0d80716da3afe28b5fe765d225

SHA256
cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400

SHA512
3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92

Download Submit
C:\Program Files\Steam\depotcache\SteamWebHelper.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES98D7.tmp

Filesize
1KB

MD5
bc6c3da47e1f54c5ae1b5c28bd5c321a

SHA1
58becb43036b121058307fbdd757785b837ade7c

SHA256
7b0fcda36d0e3bad63b4968c15ab033455ccc7293faa9b926a76aafc9f6b7e99

SHA512
7e94d93653a1b9a12e98eaf21b93e3728fcaa4a0f71e63fdc09f98179464554aa0d4a42f209c86a727e5e5b2b078a01de231a3f1284305d7c6932e8868f83ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\heajkhvt.dll

Filesize
76KB

MD5
aff40f30037a71a9b475eefd892f9699

SHA1
b9d52bafd67b8baf77fe5ed1ecc64ca712257c1c

SHA256
fdcf47699d51c73a74fb113528e181074dba05cc528c734181c00439a6bce7a3

SHA512
ce64639f5951abf0ea6fdebde7b91db05ad80ede527dd70b2abdc3b70b90c5418597e96fd1649d997c3f2b72d3e3b9c56bde25779104a2ac0bcbad85aef3ddd3

Download Submit
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Roaming\Orcus\err_7d661032d74f479fa6fca588ed3ac59f.dat

Filesize
1KB

MD5
df4cd09cae988dd857ea09c66ccc8248

SHA1
78fa8b4207179f57a973d8f1747c2b314d837693

SHA256
fbdcefb77dfa70d4f0bc515a1f0f1ec371a164adf12bd24b134899c2cbbcc021

SHA512
244b97aa383da42b69b9e36b5846471288b16b6ba9ebda1406610c33c25ce7a8a74de4f58d183def98996d81c1b7a757ffc4a72f60762b669f2e75a73554e111

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC98D6.tmp

Filesize
676B

MD5
df6b88f87ff78747a7cf54102dc5da43

SHA1
18484f8a5d32876993d02cc5e82a6c93ea7add36

SHA256
59973b72a4cecee950a83c9f992bb15f2147380ec89d3572460036e84d7fad48

SHA512
2bdf29eaf4a953ab3ce14bf60a0ce4e7607727954271fba704ce3919a2b1618e677b63376a9144492021ed60494ee6b2a7e3e358ac0eda0d2c1fbeedaa6281be

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\heajkhvt.0.cs

Filesize
208KB

MD5
7403258106e3d8c2765f9f1e5b91e0cc

SHA1
991f96c267ec83d48965e0583bd684f4f070f367

SHA256
d184a06e138473e1e339dc69e8e6d66447cc5683283f3225ac72e4719864291d

SHA512
dc13d169f37dbcd756850f04db176f1796cc67392695a1ba50b0d3010d504e503c9c6f3370694977f921a696d03d1ad00ae93a43f2c82b93501f039bcddec03a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\heajkhvt.cmdline

Filesize
349B

MD5
7ef87c5640f75a19a48e105e4f3f46a8

SHA1
0523f4fc963c033e0c10e111e8739c1f968be9f9

SHA256
0b097e9eea15f01a2bec4412eb1315e130bb79685abdf3261611be1dbe0c77b7

SHA512
9845956c0202573b4e4151585814be4aaa328e034eabedad7334cadf58f10db7278bc92a9d0ab58b8b22ab08ea9f795108676c48e5f2520b27ebba681e5e85df

Download Submit
memory/2220-13-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2220-42-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-32-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-18-0x000000001ADE0000-0x000000001ADF6000-memory.dmp

Filesize
88KB

Download
memory/2260-21-0x00000000007B0000-0x00000000007B8000-memory.dmp

Filesize
32KB

Download
memory/2260-22-0x00000000007C0000-0x00000000007C8000-memory.dmp

Filesize
32KB

Download
memory/2260-23-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-4-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-0-0x000007FEF625E000-0x000007FEF625F000-memory.dmp

Filesize
4KB

Download
memory/2260-3-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-33-0x000007FEF5FA0000-0x000007FEF693D000-memory.dmp

Filesize
9.6MB

Download
memory/2260-20-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2260-1-0x0000000002090000-0x00000000020EC000-memory.dmp

Filesize
368KB

Download
memory/2260-2-0x0000000000510000-0x000000000051E000-memory.dmp

Filesize
56KB

Download
memory/2420-51-0x0000000000C00000-0x0000000000C08000-memory.dmp

Filesize
32KB

Download
memory/2936-35-0x0000000000B30000-0x0000000000C1C000-memory.dmp

Filesize
944KB

Download
memory/2936-41-0x0000000002070000-0x0000000002080000-memory.dmp

Filesize
64KB

Download
memory/2936-39-0x0000000002040000-0x0000000002058000-memory.dmp

Filesize
96KB

Download
memory/2936-38-0x0000000000AD0000-0x0000000000B1E000-memory.dmp

Filesize
312KB

Download