W32/Parite.fam
Analysis
W32/Parite.fam is a generic detection for a file infector family.
Since this is a generic detection, malware that are detected as W32/Parite.fam may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- First, it will try to detect whether this machine is infected or not by the following actions:
- It will try to open the registry entry for reading: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
- Then it will try to query the key "PINF"
- Tries to open mutex that named “Residented”
- It will create the .tmp file in %temporary% folder and set the prefix name to [3 random characters] + 1 random digit.
- Open the .tmp file and write code into the file, then it will load it for further use.
- It will set the windows hook that monitors the messages before the system sends them to the destination window.
- The explorer will trigger the hook procedure (AttachHook in tmp file), then it will try to open the tmp file in the %temporary% folder.
- It will inject the .tmp file (dll) to other process by the windows hook.
- Create mutex named “Residented” in explorer.
- Tries to find all the local drives and search all the files under C drive.
- Tries to find all the .exe and .scr executable files for infecting.
- It will also infect files in networking resources or existing connection. For example, it will infect the share folder between VM and Host
- After injection, it appends one section at end of the file with random section name.
- It will send data to IP: 215.***.***.2 (UDP connection).
- During the infection, it will perform the following behaviours:
- It will open the file for writing, and it will also get the file time information and file size
- Writes its own code to the file
- It will set the file time (created time, modified time .etc)back to what they were before, it attempts to pretend there is nothing happened to these executable files after injection.
- Create the following registry entry to point to the .tmp file in %temporary% folder:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer
- PINF = %temporary%\ [random name].tmp
- Tries to delete all .tmp file under %temporary% folder after infection.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |