General
-
Target
8cbde96ada607b270b1ca1bd725c946f_JaffaCakes118
-
Size
905KB
-
Sample
240602-dy6vyahg97
-
MD5
8cbde96ada607b270b1ca1bd725c946f
-
SHA1
29d7cd4c3dfb7d63e169f87053ae73f6ebf4b449
-
SHA256
88f1963ba61b31fd9c2fb7b604867bc3d04552dead616f6ebb63945014df16ba
-
SHA512
f46348214286f34535cb3f27e31f7dfc01b6666a2940b60ca6c203c18e368fb77e0fa3b6b104e379aa66d40a0a6407b2bf7a8afedac7dfe838daf256d1d98363
-
SSDEEP
24576:ZKa4MROxnF0ptJSRrrcI0AilFEvxHPRtoo3:ZOMiSTSRrrcI0AilFEvxHP
Malware Config
Extracted
orcus
eta.ne.virus.ne.trogaj.mena.kstati.putinso.site:3232
3798ee9268c5481cb713c259a2b2a0d2
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
%appdata%\regedit.exe
-
reconnect_delay
10000
-
registry_keyname
Disc0rd
-
taskscheduler_taskname
Orcus
-
watchdog_path
AppData\OrcusWatchdog.exe
Targets
-
-
Target
8cbde96ada607b270b1ca1bd725c946f_JaffaCakes118
-
Size
905KB
-
MD5
8cbde96ada607b270b1ca1bd725c946f
-
SHA1
29d7cd4c3dfb7d63e169f87053ae73f6ebf4b449
-
SHA256
88f1963ba61b31fd9c2fb7b604867bc3d04552dead616f6ebb63945014df16ba
-
SHA512
f46348214286f34535cb3f27e31f7dfc01b6666a2940b60ca6c203c18e368fb77e0fa3b6b104e379aa66d40a0a6407b2bf7a8afedac7dfe838daf256d1d98363
-
SSDEEP
24576:ZKa4MROxnF0ptJSRrrcI0AilFEvxHPRtoo3:ZOMiSTSRrrcI0AilFEvxHP
Score10/10-
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
-
Orcus main payload
-
Orcurs Rat Executable
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-