Riskware/SoftPulse
Analysis
- The application attempts to connect to the following sites (among others):
- 9zqvef8333{Removed}.tyo8hbshm6.com
- www.xgaz7{Removed}.com
- www.congratulat{Removed}.com
- app.tyo8hb{Removed}.com
- revive.adsultima{Removed}.com
- www.wordpro{Removed}.com
- gp387a.saz{Removed}.com
- The application downloads and installs other applications onto the user's computer. Some examples of installed applications include:
- Word Proser
- Cloud Guard
- Desktop Dock
- Shopperz
- TV Wizard
- Games Desktop
- Pro PC Cleaner
- Data Remarketer
- Media Player
- The application drops files related to the bundled applications. Some examples of dropped files include:
- undefinedTempundefined\[Alphanumeric Character]tmp\games desktop.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\setspz.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\launcher_11002.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\vopackage.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\setup.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\cloudscout.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\propccleaner.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\wordproser-setup-1.10.0.2.exe
- undefinedTempundefined\[Alphanumeric Character]tmp\savepass_20141120.exe
- undefinedAppDataundefined\VOPackage\VOPackage.exe
- undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe
- Registry modifications such as the following are applied:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- shopperzXP = C:\Program Files\shopperz\custer.bat
- shopperz = C:\Program Files\shopperz\unity.exe
- gmsd_ca_11 = C:\Program Files\gmsd_ca_11\gmsd_ca_11.exe
- upgmsd_ca_11 = undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe -runhelper -addpck
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |