Soraya

Description

(Trend Micro) Soraya is a Dexter-and-Zeus-inspired PoS RAM scraper variant first discovered in June 2014. It is custom-packed to obfuscate its code and to make it difficult for security researchers to reverse-engineer its binary. When first executed, Soraya injects its code into several running processes. It borrowed tricks from ZeuS and hooks the NtResumeThread API, which is called by Windows to execute new processes. It then injects its code into all newly created processes. It also copies itself to the %APPDATA% directory and adds itself to an Auto Start runkey to remain persistent.

Names

Name
Soraya

Type

POS malware
Reconnaissance
Credential stealer

Information

https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-pos-ram-scraper-malware.pdf
https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper
https://www.arbornetworks.com/blog/asert/the-best-of-both-worlds-soraya/

Malpedia

https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya

Other Information

Uuid

223cafbc-5cf7-4767-aef1-d4033e5b661b

Last Card Change

2020-05-25

Threat Intelligence Garden

Explorer

Soraya

Soraya

Description

Names

Category

Type

Information

Malpedia

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks