ADW_SULPUA
Riskware/Salus (Fortinet), a variant of Win32/Adware.Salus.A application (ESET-NOD32)
Windows
Threat Type: Adware
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
TECHNICAL DETAILS
Arrival Details
This adware arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This adware drops the following files:
- {adware path}\{adware filename}.log
- {adware path}\SSL\Salus CA.ce
- {adware path}\SSL\Salus CA.pvk
It creates the following folders:
- {adware path}
- {adware path}\SSL
Other System Modifications
This adware adds the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services
{adware filename} =
It adds the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{adware filename}
DisplayName = "{adware filename}"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{adware filename}
Group = "PNP_TDI"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{adware filename}
ImagePath = "system32\drivers\{adware filename}.sys"
Other Details
This adware connects to the following possibly malicious URL:
- http://{BLOCKED}g.{BLOCKED}rl.com/salus/log/settings.json