Home / malwarePDF  

Trojan.Bernpos


First posted on 16 July 2015.
Source: Symantec

Aliases :

There are no other names known for Trojan.Bernpos.

Explanation :

When the Trojan is executed, it creates the following mutex: OPSEC_BERNHARD
The Trojan then creates the following mailslot: \\.\mailslot\ww2
Next, the Trojan creates the following registry entry so that it runs every time Windows starts: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"coreService" = "[MALWARE PATH].exe"
The Trojan then registers itself for scheduled tasks.

Next, the Trojan injects itself into other processes and attempts to steal credit card numbers.

The Trojan then sends the stolen data to the following IP address: 5.101.147.126

Last update 16 July 2015

 

TOP