Home / malware

PDF

Backdoor:MSIL/Sorcas.A

First posted on 14 August 2018.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Sorcas.A.

Explanation :

Arrival

We have observed this backdoor being downloaded from hxxp://iqhost[.]us:99/a[.]zip.

It's installed as %Windows%\IME\svchost.exe.

Autostart technique

This backdoor is installed as a service named "gpmsvc" using Installutil.exe, an installer tool from .NET Framework Tools.

Backdoor capabilities

When run, it connects to the server hxxps://iqhost.us:3389/. It then waits for and executes commands, including but not limited to:

• Download and run files
• Run cmd.exe to execute shell commands
• Stop process

Analysis by: Jonathan San Jose

Last update 14 August 2018

 

TOP