Home / malware Infostealer.Pospunk
First posted on 23 April 2015.
Source: SymantecAliases :
There are no other names known for Infostealer.Pospunk.
Explanation :
When the Trojan is executed, it injects itself into the following location and terminates its original process:
Explorer.exe
The Trojan creates the following files:
%UserProfile%\Application Data\jusched\jusched.exe
%UserProfile%\Application Data\jusched\Dllx64.dll
The Trojan creates the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"jusched"="%UserProfile%\Application Data\jusched\jusched.exe -s"
The Trojan scans the memory of processes running on the compromised computer to find the following:
Track two data from credit cards
The Trojan does not scan processes with the following names:
wuauclt.exe
alg.exe
spoolsv.exe
lsass.exe
winlogon.exe
csrss.exe
smss.exe
System
explorer.exe
iexplore.exe
svchost.exe
The Trojan may perform the following actions:
Log keystrokes
Download potentially malicious files
Update itself
The Trojan sends the stolen information to the following location:
188.212.103.21Last update 23 April 2015
