Home / malware Infostealer.Jackpos
First posted on 21 February 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Jackpos.
Explanation :
When the Trojan is executed, it creates the following hidden folder:
%UserProfile%\Application Data\Java SE Platform Updater
Next, the Trojan may copy itself to any of the following files:%UserProfile%\Application Data\Java SE Platform Updater\jusched.exe%UserProfile%\Application Data\Java SE Platform Updater\jucheck.exe%UserProfile%\Application Data\Java SE Platform Updater\javaw.exe%UserProfile%\Application Data\Java SE Platform Updater\jureg.exe%UserProfile%\Application Data\Java SE Platform Updater\jse.exe%UserProfile%\Application Data\Java SE Platform Updater\java.exe%UserProfile%\Application Data\Java SE Platform Updater\javaws.exe%UserProfile%\Application Data\Java SE Platform Updater\javacpl.exe
The Trojan then creates the following file:
%Temp%\svchost.exe
The Trojan then creates the following registry entries:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"Java SE Platform Updater" = "\"%UserProfile%\Application Data\Java SE Platform Updater\[COPIED FILE NAME].exe\""HKEY_CURRENT_USER\Software\Javaw\"Pid" = "[PROCESS ID OF COPIED FILE NAME]"HKEY_CURRENT_USER\Software\Javaw\"Pid1" = "[PROCESS ID OF %Temp%\svchost.exe]"
The Trojan then connects to the following remote location:
[http://]192.168.13.1/post/ec[REMOVED]
The Trojan may then perform the following activities:Search through processes for track one and track two data from credit cardsEncrypt and send data to [http://]192.168.13.1/post/ec[REMOVED]Update itselfExecute filesEnd processesLast update 21 February 2014
