Overview

overview

10

Static

static

3

0093cdaf60...18.exe

windows7-x64

10

0093cdaf60...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118

  • Size

    1.1MB

  • Sample

    240930-lat58ssapa

  • MD5

    0093cdaf6010d872fd69b5f554bad42f

  • SHA1

    64bc03d0e253e776447e1de1286332af4bd322e0

  • SHA256

    12b479aa48b2ee353262197143a55251d0b329927113b10bf928d3f96ff183c6

  • SHA512

    a7a5fb737751e58ff751e44150c9805e8927a4a1b79b81ac5c4765c0c7c5b787798a483262a787281073d9be7450cc2eed03c1d6912d88d9adabac4154f8eac8

  • SSDEEP

    24576:BCUjgfYTaCCcpcup6GMZNiZNfE2xUj8jTkZAoRsw8UGJNCxioH:BCUjgfYIcpjTM63wsw8UG3

Score
10/10
orcusrockdiscoveryevasionratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

rock

C2

23.227.201.233:10134

Mutex

288c4a8c96e6445cb50953f3403b6f6f

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Targets

    • Target

      0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118

    • Size

      1.1MB

    • MD5

      0093cdaf6010d872fd69b5f554bad42f

    • SHA1

      64bc03d0e253e776447e1de1286332af4bd322e0

    • SHA256

      12b479aa48b2ee353262197143a55251d0b329927113b10bf928d3f96ff183c6

    • SHA512

      a7a5fb737751e58ff751e44150c9805e8927a4a1b79b81ac5c4765c0c7c5b787798a483262a787281073d9be7450cc2eed03c1d6912d88d9adabac4154f8eac8

    • SSDEEP

      24576:BCUjgfYTaCCcpcup6GMZNiZNfE2xUj8jTkZAoRsw8UGJNCxioH:BCUjgfYIcpjTM63wsw8UG3

    Score
    10/10
    orcusrockdiscoveryevasionratspywarestealer

    • Orcus

      Orcus is a Remote Access Trojan that is being sold on underground forums.

      ratspywarestealerorcus

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Orcurs Rat Executable

    • Looks for VMWare Tools registry key

      evasion

    • Checks BIOS information in registry

      BIOS information is often read in order to detect sandboxing environments.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Drops desktop.ini file(s)

    • Maps connected drives based on registry

      Disk information is often read in order to detect sandboxing environments.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks