VirusW32/Stration.JQ@mm
Analysis
- undefineduserdirundefined\Local Setings\Temp\5.tmp
- undefinedwindirundefined\system32\(two exe files with random name)
- undefinedwindirundefined\system32\e1,dll
- undefinedwindirundefined\system32\(three other dll files with random names)
- undefinedwindirundefined\tpup.dat
- undefinedwindirundefined\tpup.exe
- undefinedwindirundefined\tpup.wax
- undefinedwindirundefined\tpup.z
- http://www6.ertikad{REMOVED}/nt.exe
- http://www4.ertikad{REMOVED}/lt.exe
- http://genfushiji{REMOVED}/pr.cgi
- http://genfushiji{REMOVED}/s.exe
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- value: tpup
- data: tpup.exe s
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
- value: [Random]
- data: C:\WINDOWS\System32\[Random].dll
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- value: AppInit_DLLs
- data: e1.dll [Random].dll
Subject: any of the following:
- postcard
- picture
- Mail Delivery System
- Status
- Error
- Server Report
- Good day
- hello
- Hi, youve just received a postcard.
- Happy New Year!
- Click on attachment to view a postcard.
- Mail transaction failed. Partial message is available.
- The message contains Unicode characters and has been sent as a binary attachment.
- The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment
- postcard.zip
- message.zip
- doc.zip
- docs.zip
- readme.zip
- text.zip
- postcard.exe
- document.dat.scr
- readme.txt.bat
- file.zip
- file.txt.pif
- file.dat.scr
- body.zip
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| FortiClient | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| FortiSandbox | |
| FortiWeb | |
| Web Application Firewall | |
| FortiIsolator | |
| FortiDeceptor | |
| FortiEDR |