Home / malwarePDF  


First posted on 14 August 2018.
Source: Microsoft

Aliases :

There are no other names known for Backdoor:MSIL/Sorcas.A.

Explanation :


We have observed this backdoor being downloaded from hxxp://iqhost[.]us:99/a[.]zip.

It's installed as %Windows%\IME\svchost.exe.

Autostart technique

This backdoor is installed as a service named "gpmsvc" using Installutil.exe, an installer tool from .NET Framework Tools.

Backdoor capabilities

When run, it connects to the server hxxps://iqhost.us:3389/. It then waits for and executes commands, including but not limited to:

  • Download and run files
  • Run cmd.exe to execute shell commands
  • Stop process

Analysis by: Jonathan San Jose

Last update 14 August 2018