Home / malwarePDF  

Infostealer.Poscra


First posted on 10 March 2015.
Source: Symantec

Aliases :

There are no other names known for Infostealer.Poscra.

Explanation :

The Trojan targets point-of-sale systems.

When the Trojan is executed, it creates the following files:
%System%\wnhelp.exe%System%\perfb419.dat
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\Security\"Security"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"Type"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"Start"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"ObjectName"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"ImagePath"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"FailureActions"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"ErrorControl"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Windows Media Help\"DisplayName"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"Service"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"Legacy"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"DeviceDesc"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"ConfigFlags"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"ClassGUID"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\0000\"Class"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WINDOWS_MEDIA_HELP\"NextInstance"
The Trojan registers the following service on the compromised computer:
Windows Media Help
The Trojan scrapes process memory for the following information:
Credit card numbers
The Trojan attempts to validate the stolen credit card numbers.

The Trojan stores validated credit card numbers in the following location:
perfb419.dat
The Trojan may send the stolen information to the attackers through email.

Last update 10 March 2015

 

TOP

Malware :

Family: