Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
27-09-2024 14:03
General
-
Target
fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe
-
Size
918KB
-
MD5
fa8a33fb3bda39a4ca3cea2500c635b8
-
SHA1
47c0e3509a249d0d80716da3afe28b5fe765d225
-
SHA256
cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
-
SHA512
3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
-
SSDEEP
24576:F1I4MROxnFi3WUrUrZlI0AilFEvxHiSRX:F1rMioN4rZlI0AilFEvxHi
Malware Config
Extracted
orcus
87.103.252.59:25565
7d661032d74f479fa6fca588ed3ac59f
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%programfiles%\Steam\depotcache\SteamWebHelper.exe
-
reconnect_delay
5000
-
registry_keyname
Windows
-
taskscheduler_taskname
Windows
-
watchdog_path
AppData\OrcusWatchdog.exe
Signatures
-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload 1 IoCs
-
Orcurs Rat Executable 2 IoCs
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 4 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 2 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3mccpacl.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC879F.tmp"3⤵
-
-
-
C:\Program Files\Steam\depotcache\SteamWebHelper.exe"C:\Program Files\Steam\depotcache\SteamWebHelper.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /launchSelfAndExit "C:\Program Files\Steam\depotcache\SteamWebHelper.exe" 1612 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe"C:\Users\Admin\AppData\Roaming\OrcusWatchdog.exe" /watchProcess "C:\Program Files\Steam\depotcache\SteamWebHelper.exe" 1612 "/protectFile"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Program Files\Steam\depotcache\SteamWebHelper.exe"C:\Program Files\Steam\depotcache\SteamWebHelper.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
918KB
MD5fa8a33fb3bda39a4ca3cea2500c635b8
SHA147c0e3509a249d0d80716da3afe28b5fe765d225
SHA256cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
SHA5123fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
76KB
MD5301db0b11b2c554a0348d0ab4dd4f20e
SHA1e927a2cd36c15b0010f8036191ab9f225e3c956c
SHA25694988665b87e95f3401b22043c8deca536658cc3987f31ebc180307b8b95961a
SHA51213707d8d9f9bc25033de56b1bf7f3850f623d493d211283d73ec891003c7f80087a1b1ee76b986577c4fc2836db55698fed34ddcf677d39e7feda26f2a743c2c
-
Filesize
1KB
MD54f140bea8b2deb5ef2b3c8a2dfd29ccb
SHA1e94cd423bd36d62db41fa614e28f509ffb0f5125
SHA2564abdd5676fc4e247cf7707b3ee8937ce6c8d53f6affc4af3b8c7622ff290b454
SHA5129b5d031075a6b85a11554bec24292e7095b0c2154436cea6be6898f382889ce4c533107ca7cf656a41a29ed7c846f86b483ac3cef12d56af82e25bdcf0bd83bc
-
Filesize
9KB
MD5913967b216326e36a08010fb70f9dba3
SHA17b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf
SHA2568d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a
SHA512c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33
-
Filesize
1KB
MD5d04e96bab1dbef584fc89a33a702fe03
SHA179d97681ff0902e12954135a08531add43b04ea7
SHA256009b5edddd836e14efd408b20c70b4f2ae573f451ddebf373d5564b5335b9482
SHA5123527601642ef80b8c5d5fc07261f697663c295934075e60c92812f12492a181e811f534cef243684c0fbb774f4800388db1b99daf5d4ae35d027c948aef4aba9
-
Filesize
208KB
MD55178c6c58c604e27470274448ba74220
SHA15ed089f74ff7d6f843a16865824f08294a0c8ebb
SHA256dd96cbbfa578a94812a67a6b532eb5e99f498be4fbf234638820d7d3cd394eb8
SHA512615138e14631f40ae8b82ab19e6c033092557b7473d02919af85c558012a44bcb891d048be4ba98fc5d171a0da3178c1624f2075abcda12cc77f49861f5fc17f
-
Filesize
349B
MD5978740e975b3b38fb551e4a9351fe162
SHA113821f0319954452f98d702a80051004c0b25547
SHA2567e72fd6c3b99b7f969a6c4e8289103d2dd5c2bd8ab19b68a01fbc25c9ad74796
SHA5128b70045fcc97d8208b7c40f7e56fbb30e27b8c857e9117b41ae553d98fe6202007f6db0ee2bc1fd7572750acb5e039d6c1f6bf23a6d4084f9d6cb3129b3a9624
-
Filesize
676B
MD5ffea816bdeb3701d41397aa028c0b00c
SHA15c125f1ed36079171b40643c149abc81f3bc5d55
SHA256f5a3c0fefd8e8f1192fea1d5f107f1c703fa8faf5221dbfab23a21c406af4e8a
SHA5126e98eca431d0c7fb42a1837b358192229a88951cfe20702d901b636978924c69c537bbb1d2301856343618ecf281949c827b3c99006883a383ae534b3e5c338c
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
8KB
-
Filesize
8KB
-
Filesize
944KB
-
Filesize
1.8MB
-
Filesize
64KB
-
Filesize
96KB
-
Filesize
312KB
-
Filesize
1.0MB
-
Filesize
72KB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
448KB
-
Filesize
9.6MB
-
Filesize
292KB
-
Filesize
9.6MB
-
Filesize
960KB
-
Filesize
120KB
-
Filesize
9.6MB
-
Filesize
5.7MB
-
Filesize
56KB
-
Filesize
392KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
72KB
-
Filesize
368KB
-
Filesize
624KB
-
Filesize
9.6MB
-
Filesize
88KB