BAT/Cleaner.WOARK!tr

Analysis

BAT/Cleaner.WOARk!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as BAT/Cleaner.WOARk!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware is related to the CVE-2022-22954 vulnerability, affecting VMware Workspace ONE Access and Identity Manager.


• Upon execution, the batch file will stop various tasks, processes, and services. Some of the stopped processes include cryptomining and analysis tools.


• The following files will be deleted:
  • "*.bat", "*.vbs", "*.ps1" from %Temporary%
  • "*.exe", "*.vbs", "*.ps1" from %UserProfile%
  • "*.bat", "*.vbs", "*.ps1", "st.exe", "stt.exe", "sat.exe" from C:/ProgramData


• The boot configuration of Windows will be edited to ensure the machine is able to boot regardless of errors and the Windows recovery feature will be disabled so that the victims are unable to revert their system to the previous builds. All shadow copies will be deleted along with certain scheduled tasks.


• It will empty the recycle bin and clear the following event logs:
  • Application
  • Security
  • Setup
  • System


• This malware has been associated with the following third party article/advisory.

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22954



• Following are some of the exact IOCs/file hashes associated with this detection:
  
  • Md5: 00f1119f4f108c12fc63dbbf64e3cc41
    Sha256: 66db83136c463441ea56fb1b5901c505bcd1ed52a73e23d7298f7055db2108d1

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.