orcus | 2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
Size

1.3MB
MD5

a65588611bea2e11e8b7a783586d45ed
SHA1

70df9e0bb904ec5cacd4ccc54950d3029ab322c9
SHA256

2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a
SHA512

123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8
SSDEEP

24576:jyI4MROxnFt3v9MQvrZlI0AilFEvxHidsRN+Sr5P8WmA2TzKsv+6k2C:jyrMijm0rZlI0AilFEvxHi2Fr5WycC

Score

10^/10

orcus hi persistence rat spyware stealer

Malware Config

Extracted

Family

orcus

Botnet

owo-whats-this.duckdns.org:6969

Mutex

589c23b486c142cc84a5650aff03530f

Attributes

autostart_method
Registry
enable_keylogger
false
install_path
%programfiles%\owo\OwO.exe
reconnect_delay
10000
registry_keyname
WWWWWWWWWWW
taskscheduler_taskname
WWWWWW
watchdog_path
Temp\hostwd.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus main payload 1 IoCs

Processes:

resource yara_rule

C:\Program Files (x86)\owo\OwO.exe family_orcus

resource	yara_rule
C:\Program Files (x86)\owo\OwO.exe	family_orcus

Orcurs Rat Executable 6 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2152-0-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
C:\Program Files (x86)\owo\OwO.exe	orcus
behavioral2/memory/2132-64-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
behavioral2/memory/2152-63-0x0000000000400000-0x00000000004EC000-memory.dmp	orcus
behavioral2/memory/4504-75-0x0000000000400000-0x0000000000532000-memory.dmp	orcus
behavioral2/memory/2132-100-0x0000000000400000-0x0000000000532000-memory.dmp	orcus

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exeOwO.exehostwd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	OwO.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	hostwd.exe

Executes dropped EXE 6 IoCs

Processes:

WindowsInput.exeWindowsInput.exeOwO.exeOwO.exehostwd.exehostwd.exe

pid process

1788 WindowsInput.exe
1836 WindowsInput.exe
2132 OwO.exe
4504 OwO.exe
1396 hostwd.exe
3528 hostwd.exe

pid	process
1788	WindowsInput.exe
1836	WindowsInput.exe
2132	OwO.exe
4504	OwO.exe
1396	hostwd.exe
3528	hostwd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

OwO.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WWWWWWWWWWW = "\"C:\\Program Files (x86)\\owo\\OwO.exe\""	OwO.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exeWindowsInput.exe

description	ioc	process
File created	C:\Windows\SysWOW64\WindowsInput.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.exe.config	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WindowsInput.InstallState	WindowsInput.exe

Drops file in Program Files directory 3 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\owo\OwO.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\owo\OwO.exe	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Program Files (x86)\owo\OwO.exe.config	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Drops file in Windows directory 3 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File created	C:\Windows\assembly\Desktop.ini	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

OwO.exehostwd.exe

pid	process
2132	OwO.exe
2132	OwO.exe
2132	OwO.exe
3528	hostwd.exe
3528	hostwd.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
2132	OwO.exe
3528	hostwd.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe
3528	hostwd.exe
2132	OwO.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

OwO.exehostwd.exehostwd.exe

description pid process

Token: SeDebugPrivilege 2132 OwO.exe
Token: SeDebugPrivilege 1396 hostwd.exe
Token: SeDebugPrivilege 3528 hostwd.exe

description	pid	process
Token: SeDebugPrivilege	2132	OwO.exe
Token: SeDebugPrivilege	1396	hostwd.exe
Token: SeDebugPrivilege	3528	hostwd.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.execsc.exeOwO.exehostwd.exe

description	pid	process	target process
PID 2152 wrote to memory of 984	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2152 wrote to memory of 984	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 2152 wrote to memory of 984	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	csc.exe
PID 984 wrote to memory of 4272	984	csc.exe	cvtres.exe
PID 984 wrote to memory of 4272	984	csc.exe	cvtres.exe
PID 984 wrote to memory of 4272	984	csc.exe	cvtres.exe
PID 2152 wrote to memory of 1788	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2152 wrote to memory of 1788	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	WindowsInput.exe
PID 2152 wrote to memory of 2132	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2152 wrote to memory of 2132	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2152 wrote to memory of 2132	2152	a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe	OwO.exe
PID 2132 wrote to memory of 1396	2132	OwO.exe	hostwd.exe
PID 2132 wrote to memory of 1396	2132	OwO.exe	hostwd.exe
PID 2132 wrote to memory of 1396	2132	OwO.exe	hostwd.exe
PID 1396 wrote to memory of 3528	1396	hostwd.exe	hostwd.exe
PID 1396 wrote to memory of 3528	1396	hostwd.exe	hostwd.exe
PID 1396 wrote to memory of 3528	1396	hostwd.exe	hostwd.exe

C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a65588611bea2e11e8b7a783586d45ed_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2152

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rdkkjiel.cmdline"
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5295.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5294.tmp"
3⤵
PID:4272

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe" --install
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1788

C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2132

C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /launchSelfAndExit "C:\Program Files (x86)\owo\OwO.exe" 2132 /protectFile
3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\hostwd.exe
"C:\Users\Admin\AppData\Local\Temp\hostwd.exe" /watchProcess "C:\Program Files (x86)\owo\OwO.exe" 2132 "/protectFile"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
- Executes dropped EXE
PID:1836

C:\Program Files (x86)\owo\OwO.exe
"C:\Program Files (x86)\owo\OwO.exe"
1⤵
- Executes dropped EXE
PID:4504

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\owo\OwO.exe
Filesize
1.3MB

MD5
a65588611bea2e11e8b7a783586d45ed

SHA1
70df9e0bb904ec5cacd4ccc54950d3029ab322c9

SHA256
2cf884671b814b3a278eca91e8feb1e9b9b42889c6324995178d7c4df38de49a

SHA512
123a09a6f84d7a550bd9cfc61492ca8182e80fb2b0c12b476fbd742d14ba124916b1411095e24d7fb5b74073495a331fb84995d3484d29263d764aaac42979d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\hostwd.exe.log
Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES5295.tmp
Filesize
1KB

MD5
b7bde65e4dfbc2937c66712be5900d3e

SHA1
f17cf7fcdb098b2b27728ed688a526fbe1860f13

SHA256
b12b5935d8ffa7797f952d9fbf1a7244ac0fb5473711f2bf56e405bdb7675f04

SHA512
35440ca6fdd4c86359ae5e2049a6576e992c3e209ff42416f724e6988d3e51a7777e841305703d8d308652219e50596ea68c1c044276c6de5e8d6487ed5cee48

Download Submit
C:\Users\Admin\AppData\Local\Temp\hostwd.exe
Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\rdkkjiel.dll
Filesize
76KB

MD5
1bee32b9481fb3e7751e903d95128936

SHA1
02c7ac867188eeea06382ce25dc86713f7fda9bf

SHA256
59ed70a183abe297bbff93e16aa26b9cc8ae2a8a5ce7c1a0a05c1966f42cc564

SHA512
3fae2c6588d93d66b97e0350e7daae1739c16918944249e55598bf09ee94afa3eab5ee07608cfbc3edba51436e843246b9e4b6cd1dd7f5ebb05fbdbfaa214047

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe
Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config
Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC5294.tmp
Filesize
676B

MD5
a2715833874c53ada6f5420efb4973f0

SHA1
2f5b3f3cdb9abb4a475fca186189b8d94702ec7c

SHA256
6c2b05fe960b93cd9c841353f4f1e6f2771a75e5bebe1b7f87dbf45bc20f8300

SHA512
4fd425a998053ad5ebc7daf1f58d3330e42cd155c153fab480245a3a889096e88cfdb1e3cd4148528f43e54f965738e99749bd53447a7fef073b735000b94122

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rdkkjiel.0.cs
Filesize
208KB

MD5
7669784b0302bff34aaad1d9ef742997

SHA1
895403f905eef878c0f345ad164fef4540bf1015

SHA256
eacfba78c3492576bd08fbd6c09409dff6ef7374a0bbbc2c73c28efdaff94c48

SHA512
921027b7717974c2676389ce552f33d438c74635cf8c421abea9d505902dbf1a8cc36e70bc9daba814942cf23c5c84b5f3c9aa65897aa4d039d05d22c80b5f29

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rdkkjiel.cmdline
Filesize
347B

MD5
d3b1084e7b3ed38f55c945e1db616410

SHA1
2740663b8274ae8f579742f468064f116c4c83ea

SHA256
08a41348fa21cb93248008cd949150e0830d654df4182fcb7fe7650c4843ccc2

SHA512
faea1ca9c06eaf0501a787fa8826455fddd143772b0b50536ee0702887ec5007ed8cb4d3c8ecf0608becb739f4718e0ed4bf8811d2d31d2408c057063345f3e6

Download Submit
memory/984-13-0x0000000074180000-0x0000000074731000-memory.dmp

Filesize
5.7MB

Download
memory/984-20-0x0000000074180000-0x0000000074731000-memory.dmp

Filesize
5.7MB

Download
memory/1396-92-0x0000000000970000-0x0000000000978000-memory.dmp

Filesize
32KB

Download
memory/1788-44-0x00007FFC3CB10000-0x00007FFC3D5D1000-memory.dmp

Filesize
10.8MB

Download
memory/1788-36-0x00007FFC3CB13000-0x00007FFC3CB15000-memory.dmp

Filesize
8KB

Download
memory/1788-37-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/1788-38-0x0000000001460000-0x0000000001472000-memory.dmp

Filesize
72KB

Download
memory/1788-39-0x0000000002DA0000-0x0000000002DDC000-memory.dmp

Filesize
240KB

Download
memory/1788-40-0x00007FFC3CB10000-0x00007FFC3D5D1000-memory.dmp

Filesize
10.8MB

Download
memory/1836-46-0x000000001B360000-0x000000001B46A000-memory.dmp

Filesize
1.0MB

Download
memory/2132-76-0x0000000006250000-0x0000000006268000-memory.dmp

Filesize
96KB

Download
memory/2132-71-0x0000000006000000-0x0000000006008000-memory.dmp

Filesize
32KB

Download
memory/2132-100-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2132-64-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2132-78-0x00000000067D0000-0x00000000067DA000-memory.dmp

Filesize
40KB

Download
memory/2132-65-0x0000000005190000-0x000000000519E000-memory.dmp

Filesize
56KB

Download
memory/2132-66-0x00000000051A0000-0x00000000051FC000-memory.dmp

Filesize
368KB

Download
memory/2132-68-0x00000000052E0000-0x0000000005884000-memory.dmp

Filesize
5.6MB

Download
memory/2132-77-0x0000000006290000-0x00000000062A0000-memory.dmp

Filesize
64KB

Download
memory/2132-69-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2132-70-0x0000000005FF0000-0x0000000006002000-memory.dmp

Filesize
72KB

Download
memory/2132-74-0x0000000006220000-0x0000000006242000-memory.dmp

Filesize
136KB

Download
memory/2132-72-0x0000000006020000-0x000000000606E000-memory.dmp

Filesize
312KB

Download
memory/2152-0-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download
memory/2152-5-0x0000000074180000-0x0000000074731000-memory.dmp

Filesize
5.7MB

Download
memory/2152-67-0x0000000074180000-0x0000000074731000-memory.dmp

Filesize
5.7MB

Download
memory/2152-63-0x0000000000400000-0x00000000004EC000-memory.dmp

Filesize
944KB

Download
memory/2152-3-0x0000000074182000-0x0000000074183000-memory.dmp

Filesize
4KB

Download
memory/2152-2-0x0000000077073000-0x0000000077074000-memory.dmp

Filesize
4KB

Download
memory/2152-1-0x0000000077072000-0x0000000077073000-memory.dmp

Filesize
4KB

Download
memory/2152-4-0x0000000074180000-0x0000000074731000-memory.dmp

Filesize
5.7MB

Download
memory/4504-75-0x0000000000400000-0x0000000000532000-memory.dmp

Filesize
1.2MB

Download