Overview

overview

10

Static

static

3

0093cdaf60...18.exe

windows7-x64

10

0093cdaf60...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-09-2024 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    0093cdaf6010d872fd69b5f554bad42f

  • SHA1

    64bc03d0e253e776447e1de1286332af4bd322e0

  • SHA256

    12b479aa48b2ee353262197143a55251d0b329927113b10bf928d3f96ff183c6

  • SHA512

    a7a5fb737751e58ff751e44150c9805e8927a4a1b79b81ac5c4765c0c7c5b787798a483262a787281073d9be7450cc2eed03c1d6912d88d9adabac4154f8eac8

  • SSDEEP

    24576:BCUjgfYTaCCcpcup6GMZNiZNfE2xUj8jTkZAoRsw8UGJNCxioH:BCUjgfYIcpjTM63wsw8UG3

Score
10/10
orcusrockdiscoveryevasionratspywarestealer

Malware Config

Extracted

Family

orcus

Botnet

rock

C2

23.227.201.233:10134

Mutex

288c4a8c96e6445cb50953f3403b6f6f

Attributes
  • autostart_method

    Disable

  • enable_keylogger

    true

  • install_path

    %programfiles%\Orcus\Orcus.exe

  • reconnect_delay

    10000

  • registry_keyname

    Orcus

  • taskscheduler_taskname

    Orcus

  • watchdog_path

    AppData\OrcusWatchdog.exe

Signatures

  • Orcus

    Orcus is a Remote Access Trojan that is being sold on underground forums.

    ratspywarestealerorcus
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Orcurs Rat Executable 1 IoCs
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Drops desktop.ini file(s) 2 IoCs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1624
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aIQzlZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp162.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3980
    • C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0093cdaf6010d872fd69b5f554bad42f_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Drops desktop.ini file(s)
      • Drops file in System32 directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1456
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\in-308b6.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6B3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6A2.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:924
      • C:\Windows\SysWOW64\WindowsInput.exe
        "C:\Windows\SysWOW64\WindowsInput.exe" --install
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        PID:2816
  • C:\Windows\SysWOW64\WindowsInput.exe
    "C:\Windows\SysWOW64\WindowsInput.exe"
    1⤵
    • Executes dropped EXE
    PID:4368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\RES6B3.tmp
    Filesize

    1KB

    MD5

    d48f29c6ee84d525224d87f557f99f3c

    SHA1

    2f7fc19811bf28a7c9b541f1e388134c4ce36c71

    SHA256

    1cc9628bd9e2292ab9b0f681ca45194716ad5fcd74e7f6b4e2063ade08c92e50

    SHA512

    9b8e250d2eaa4b271e857a7058d6607b7f94c40d57a096f36904fdf0c38239bd5204e7073a18950372fac01dbf7e59942f21295a9d99057babe9087c08ffb91a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\in-308b6.dll
    Filesize

    76KB

    MD5

    86a1ab86443c11e0861d001e852c355d

    SHA1

    4917826602494bfa64a46c99d4177496eca8aa8d

    SHA256

    2cbac24106cecc3e0e2006c2cd1935083c00ee7c537acea74c7722e3d84c5372

    SHA512

    be38ca47fd8029ad7222ac79bfbcb0e5da703fcd0af716848a84bfca1856b89bf3287fa641efb1a82d6d5530acc7880ce7c3d6df719eb7de3dad8d4828bbdbf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp162.tmp
    Filesize

    1KB

    MD5

    924fcf77f0276cf6e1f3d0e54ced2094

    SHA1

    3d51dcf7ad4581049ae49b331c461658ad6a0f03

    SHA256

    ade63d2721e9b930a3fda6b35e3eaeddead10c3a8b8e052941d27c430bfdd2fd

    SHA512

    bbbc81a0c990a4f5128900d2731a5b1f29c5257b02f3613a619e98dc022fe1cf895ee6b2d0a4f83537ae6e6028fab8d1a79ea4686e32a756f5b5e222b12d0028

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe
    Filesize

    21KB

    MD5

    e6fcf516d8ed8d0d4427f86e08d0d435

    SHA1

    c7691731583ab7890086635cb7f3e4c22ca5e409

    SHA256

    8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

    SHA512

    c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

    Download Submit

  • C:\Windows\SysWOW64\WindowsInput.exe.config
    Filesize

    357B

    MD5

    a2b76cea3a59fa9af5ea21ff68139c98

    SHA1

    35d76475e6a54c168f536e30206578babff58274

    SHA256

    f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

    SHA512

    b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC6A2.tmp
    Filesize

    676B

    MD5

    27de192f415c16320d0c33327b4b2031

    SHA1

    870119ee3d45312c39f368b5b897f91203d7518b

    SHA256

    acc6e4e3e9beaa15258a9915825df63493e2b2061fbca4f6e64a853e05bd2a48

    SHA512

    94b67ee2630fd5d53547be139d6be7db148088c7bcccc92b413196717bdb6b3196b3ae23b53a2bf5eb3c39896fd8886de1aff55cd9c84da01f059ed93d204191

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\in-308b6.0.cs
    Filesize

    208KB

    MD5

    e2c413a7b5ee6ccb7a28f9a7fd40cc82

    SHA1

    4ea279427f64ec65b806a4bb519c2132c987a270

    SHA256

    18032a698fa52207431f7c0320f3586b156f3d7254dca7432ddda141e5f09059

    SHA512

    12a774ef0445c305035c26290e095969dfa323cb020ea683e7af0717b57d7650af5ed270aacb7c0d8b6b6419612b1936e88de6a14332abcbf049c73a75a30e26

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\in-308b6.cmdline
    Filesize

    347B

    MD5

    0b8241c63dc20c59151e59244bebfa59

    SHA1

    20a1db3df8ca9eeee8f75627cb20c9707eb236bb

    SHA256

    56cc33e22b5289d539736415e542a8773688554ddb5bff1da258a1bdc8c81e85

    SHA512

    319e0d0c54c097739ac6930b4846f3826ea7b03f9e973a972f30974a6261b330e6dea9cc3be84dff53f1ed4db72190aac2638839320312270b7ae85d347e2ef9

    Download Submit

  • memory/1456-10-0x0000000000400000-0x00000000004EA000-memory.dmp

    Filesize

    936KB

    Download

  • memory/1456-54-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1456-16-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1456-17-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1456-12-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-4-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-0-0x0000000075562000-0x0000000075563000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-3-0x0000000075562000-0x0000000075563000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1624-2-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-1-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1624-15-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2568-23-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2568-30-0x0000000075560000-0x0000000075B11000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2816-46-0x0000000000C00000-0x0000000000C0C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2816-47-0x00000000013D0000-0x00000000013E2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2816-48-0x0000000001560000-0x000000000159C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4368-53-0x000000001AD20000-0x000000001AE2A000-memory.dmp

    Filesize

    1.0MB

    Download