orcus | fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118 | Triage

Sharing

General

Target

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118
Size

918KB
MD5

fa8a33fb3bda39a4ca3cea2500c635b8
SHA1

47c0e3509a249d0d80716da3afe28b5fe765d225
SHA256

cf92e7573d34ef42a341d5562357169b90e0542bd66b00d57c84eff686de0400
SHA512

3fc02998288f88ad2b822281830ac328981b42a94ecfef370b67dd4f6f62724eceabadcba635e401a0ddb5dd77011f199c8e4e68b51e3765e3cdaa66177a9c92
SSDEEP

24576:F1I4MROxnFi3WUrUrZlI0AilFEvxHiSRX:F1rMioN4rZlI0AilFEvxHi

Score

10^/10

orcus

Malware Config

Extracted

Family

orcus

C2

87.103.252.59:25565

Mutex

7d661032d74f479fa6fca588ed3ac59f

Attributes

autostart_method
Registry
enable_keylogger
true
install_path
%programfiles%\Steam\depotcache\SteamWebHelper.exe
reconnect_delay
5000
registry_keyname
Windows
taskscheduler_taskname
Windows
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcurs Rat Executable 1 IoCs

resource	yara_rule
sample	orcus

Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
sample	family_orcus

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118

Files

fa8a33fb3bda39a4ca3cea2500c635b8_JaffaCakes118
.exe windows:4 windows x86 arch:x86

f34d5f2d4577ed6d9ceec516c1f5a744

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Imports

mscoree

_CorExeMain

Sections

.text
Size: 913KB - Virtual size: 912KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rsrc
Size: 4KB - Virtual size: 4KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 512B - Virtual size: 12B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ