Home / malware Infostealer.Pandebono
First posted on 25 April 2014.
Source: SymantecAliases :
There are no other names known for Infostealer.Pandebono.
Explanation :
The Trojan arrives through a USB connection to the ATM.
When the Trojan is executed, it creates the following files:
[DRIVE LETTER]:\PROCOL 3.0.exe%WinDir%\system32\winini.log%WinDir%\system32\umst\winpins.dmp%WinDir%\system32\umst\shadow.dmp%WinDir%\system32\res\smss.exe%WinDir%\system32\res\lsass.exe
The Trojan creates the following folders:
%WinDir%\system32\umst\%WinDir%\system32\res\
The Trojan creates the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Windows Net Logon
The Trojan creates a service with the following characteristics:
Service Name: Windows Net Logon
Note: The Trojan may terminate the malicious service by command.
The Trojan steals the following sensitive information:
Account dataPIN numbers
Note: The Trojan stores stolen information in the following file:
%WinDir%\system32\umst\winpins.dmp
The Trojan stores encrypted PIN numbers to be cracked offline (the process known as "carding") in the following file:
shadow.dmp
The Trojan uploads all the stolen data to the the USB removable drive if the removable drive root folder contains the following specific file:
copwincor.xxxLast update 25 April 2014
