orcus | 2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

Analysis

max time kernel
150s
max time network
148s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
Size

1.3MB
MD5

a65588611bea2e11e8b7a783586d45ed
SHA1

70df9e0bb904ec5cacd4ccc54950d3029ab322c9
SHA256

2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a
SHA512

123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8
SSDEEP

24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC

Score

10^/10

orcus hi persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

owo-whats-this.duckdns.org:6969

Mutex

589c23b486c142cc84a5650aff03530f

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\owo\OwO.exe
reconnect_delay
10000
registry_keyname
WWWWWWWWWWW
taskscheduler_taskname
WWWWWW
watchdog_path
Temp\hostwd.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus main payload 1 IoCs

Processes:

resource yara_rule

\Program Files (x86)\owo\OwO.exe family_orcus

resource	yara_rule
\Program Files (x86)\owo\OwO.exe	family_orcus

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-0-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
\Program Files (x86)\owo\OwO.exe	orcus
behavioral1/memory/2512-44-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
behavioral1/memory/2240-43-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral1/memory/2400-58-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
behavioral1/memory/2512-72-0x0000000000400000-0x0000000000532000-memory.dmp	orcus

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exeOwO.exeOwO.exehostwd.exehostwd.exe

pid process

2692 WindowsInput.exe
2740 WindowsInput.exe
2512 OwO.exe
2400 OwO.exe
2808 hostwd.exe
3012 hostwd.exe
Loads dropped DLL 4 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exeOwO.exehostwd.exe

pid process

2240 a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
2240 a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
2512 OwO.exe
2808 hostwd.exe

pid	process
2692	WindowsInput.exe
2740	WindowsInput.exe
2512	OwO.exe
2400	OwO.exe
2808	hostwd.exe
3012	hostwd.exe

pid	process
2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
2512	OwO.exe
2808	hostwd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OwO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\WWWWWWWWWWW = "\"C:\\Program Files (x86)\\owo\\OwO.exe\""	OwO.exe

Drops file in System32 directory 3 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Drops file in Program Files directory 3 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\owo\OwO.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\owo\OwO.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Program Files (x86)\owo\OwO.exe.config	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

hostwd.exeOwO.exe

pid	process
3012	hostwd.exe
3012	hostwd.exe
3012	hostwd.exe
2512	OwO.exe
2512	OwO.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe
3012	hostwd.exe
2512	OwO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

OwO.exehostwd.exehostwd.exe

description pid process

Token: SeDebugPrivilege 2512 OwO.exe
Token: SeDebugPrivilege 2808 hostwd.exe
Token: SeDebugPrivilege 3012 hostwd.exe

description	pid	process
Token: SeDebugPrivilege	2512	OwO.exe
Token: SeDebugPrivilege	2808	hostwd.exe
Token: SeDebugPrivilege	3012	hostwd.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.execsc.exetaskeng.exeOwO.exehostwd.exe

description	pid	process	target process
PID 2240 wrote to memory of 2200	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2240 wrote to memory of 2200	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2240 wrote to memory of 2200	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2240 wrote to memory of 2200	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2200 wrote to memory of 2888	2200	csc.exe	cvtres.exe
PID 2200 wrote to memory of 2888	2200	csc.exe	cvtres.exe
PID 2200 wrote to memory of 2888	2200	csc.exe	cvtres.exe
PID 2200 wrote to memory of 2888	2200	csc.exe	cvtres.exe
PID 2240 wrote to memory of 2692	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2240 wrote to memory of 2692	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2240 wrote to memory of 2692	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2240 wrote to memory of 2692	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2240 wrote to memory of 2512	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2240 wrote to memory of 2512	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2240 wrote to memory of 2512	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2240 wrote to memory of 2512	2240	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 1508 wrote to memory of 2400	1508	taskeng.exe	OwO.exe
PID 1508 wrote to memory of 2400	1508	taskeng.exe	OwO.exe
PID 1508 wrote to memory of 2400	1508	taskeng.exe	OwO.exe
PID 1508 wrote to memory of 2400	1508	taskeng.exe	OwO.exe
PID 2512 wrote to memory of 2808	2512	OwO.exe	hostwd.exe
PID 2512 wrote to memory of 2808	2512	OwO.exe	hostwd.exe
PID 2512 wrote to memory of 2808	2512	OwO.exe	hostwd.exe
PID 2512 wrote to memory of 2808	2512	OwO.exe	hostwd.exe
PID 2808 wrote to memory of 3012	2808	hostwd.exe	hostwd.exe
PID 2808 wrote to memory of 3012	2808	hostwd.exe	hostwd.exe
PID 2808 wrote to memory of 3012	2808	hostwd.exe	hostwd.exe
PID 2808 wrote to memory of 3012	2808	hostwd.exe	hostwd.exe

C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-u3scnzd.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:2200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9944.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9943.tmp"
3⤵
PID:2888

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2692

C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2512

C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /launchSelfAndExit "C:\Program Files (x86)\owo\OwO.exe" 2512 /protectFile
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808

C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /watchProcess "C:\Program Files (x86)\owo\OwO.exe" 2512 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {D5ED89E9-EBA1-48EC-B0F6-FBEFEDCC7A75} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1508

C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
2⤵
- Executes dropped EXE
PID:2400

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\-u3scnzd.dll
Filesize
76KB

MD5
f9efe21f916e8d692a30285c51e80f28

SHA1
725dd96db39817ac6b1d1f07cdc14413f8674170

SHA256
1698dbd2e15696da11f0c9317cfc1544bf3967e1d33458c9fc0a1f213386dcb3

SHA512
9134856e6bd51bcd35a2918687aae47dd5432631f9a766995788be3d271b368537b4a879cb503a14013e9c60cbdde6204ae3b02f2ea6170f567233496c9e64b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES9944.tmp
Filesize
1KB

MD5
c3b7571372d35d6404df1f94c4f2889d

SHA1
957e14673542a2f7bd0ea0e47a71d11187b5cb6e

SHA256
1f8ba5da84cd94337d3d4e1cde311db2cad756ca217406ed71ecfc1dfb97caa3

SHA512
991367ecb6c77bba45357d20cfaae7f3983fb59e0dd481675959a5a91876f2ffa2e5b654d255930af0bcaa66755bdb2f5a98e11860335a8a4dc7de4cee284baa

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-u3scnzd.0.cs
Filesize
208KB

MD5
674639c9bcc025f2151b3e6200880194

SHA1
2b8a41c18450038b5135f0e07eaa9e2b85567645

SHA256
794e0ca0d2ff4c48b8fa42628454d560373c19518680fc18af358a794a378ff6

SHA512
400b1efba9c7c701843470a1d2ed6e5c65810093c1947957fec9ac1eab325f5dd8e2da9654c5e42616721a38c0a0f34308b8eddf964d2581b982ad8513d34af4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\-u3scnzd.cmdline
Filesize
347B

MD5
08b73454aa80e825cf2cc05c3c16cf68

SHA1
9e66c4e0e3ced10710c0c0f637803db9003cc9d3

SHA256
3fc058a4fcc584a1cd6d1a1385f70ae9942acd70d6b70adc6688d42073d1ef02

SHA512
551f4836003f6428b60ad17268cd1a76d51dd89d7b310b8df38c4a44bcb32b9c570ee967c73cb142ca874525f00317c0a4821aa4b2717cb2b3e84e876b8c3af7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9943.tmp
Filesize
676B

MD5
283fc0f2b09f64e1d2f482f3295ac03d

SHA1
a954712932c69b4b21cda0a8f75364c0476157b8

SHA256
8957181422f546bbd27f65d1db3cb1092ae3f0aad862f228a266908308af3c66

SHA512
93a9e09c31a1b29e0f191859582af0806d47b7ada93bce9683c3537941fac4bcd447857f98fdf9e181a3c0cccd0df293684119f7df92b77108b7298bff01e30f

Download Submit
\Program Files (x86)\owo\OwO.exe
Filesize
1.3MB

MD5
a65588611bea2e11e8b7a783586d45ed

SHA1
70df9e0bb904ec5cacd4ccc54950d3029ab322c9

SHA256
2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

SHA512
123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8

Download Submit
\Users\Admin\AppData\Local\Temp\hostwd.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
memory/2200-17-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2200-10-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2240-47-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2240-4-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2240-3-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/2240-2-0x0000000074301000-0x0000000074302000-memory.dmp

Filesize
4KB

Download
memory/2240-1-0x00000000771C0000-0x00000000771C1000-memory.dmp

Filesize
4KB

Download
memory/2240-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2240-43-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2240-40-0x0000000005E40000-0x0000000005F72000-memory.dmp

Filesize
1.2MB

Download
memory/2400-58-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2512-53-0x00000000058F0000-0x0000000005908000-memory.dmp

Filesize
96KB

Download
memory/2512-48-0x00000000023A0000-0x00000000023AE000-memory.dmp

Filesize
56KB

Download
memory/2512-49-0x00000000025D0000-0x000000000262C000-memory.dmp

Filesize
368KB

Download
memory/2512-50-0x00000000023E0000-0x00000000023F2000-memory.dmp

Filesize
72KB

Download
memory/2512-51-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/2512-52-0x0000000004E50000-0x0000000004E9E000-memory.dmp

Filesize
312KB

Download
memory/2512-44-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2512-54-0x0000000005B50000-0x0000000005B60000-memory.dmp

Filesize
64KB

Download
memory/2512-72-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2692-28-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2740-32-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2808-66-0x0000000001190000-0x0000000001198000-memory.dmp

Filesize
32KB

Download