Riskware/SoftPulse

description-logoAnalysis


  • The application attempts to connect to the following sites (among others):
    • 9zqvef8333{Removed}.tyo8hbshm6.com
    • www.xgaz7{Removed}.com
    • www.congratulat{Removed}.com
    • app.tyo8hb{Removed}.com
    • revive.adsultima{Removed}.com
    • www.wordpro{Removed}.com
    • gp387a.saz{Removed}.com

  • The application downloads and installs other applications onto the user's computer. Some examples of installed applications include:
    • Word Proser
    • Cloud Guard
    • Desktop Dock
    • Shopperz
    • TV Wizard
    • Games Desktop
    • Pro PC Cleaner
    • Data Remarketer
    • Media Player

  • The application drops files related to the bundled applications. Some examples of dropped files include:
    • undefinedTempundefined\[Alphanumeric Character]tmp\games desktop.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setspz.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\launcher_11002.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\vopackage.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\setup.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\cloudscout.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\propccleaner.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\wordproser-setup-1.10.0.2.exe
    • undefinedTempundefined\[Alphanumeric Character]tmp\savepass_20141120.exe
    • undefinedAppDataundefined\VOPackage\VOPackage.exe
    • undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe

  • Registry modifications such as the following are applied:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
      • shopperzXP = C:\Program Files\shopperz\custer.bat
      • shopperz = C:\Program Files\shopperz\unity.exe
      • gmsd_ca_11 = C:\Program Files\gmsd_ca_11\gmsd_ca_11.exe
      • upgmsd_ca_11 = undefinedAppDataundefined\gmsd_ca_11\upgmsd_ca_11.exe -runhelper -addpck
      This automatically executes the dropped files every time a user logs on to the computer.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-03-19 92.02584
2024-03-18 92.02577
2024-03-18 92.02564
2024-03-16 92.02496
2024-03-13 92.02414
2024-03-11 92.02346
2024-03-10 92.02330
2024-03-06 92.02197
2024-03-05 92.02183
2024-03-04 92.02137