W32/Injector.HLL!tr

description-logoAnalysis


W32/Injector.HLL!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Injector.HLL!tr may have varying behavior.
Below are examples of some of these behaviors:

  • It deletes itself from current folder.

  • One of the following files exists:
    • undefinedSystemundefined\igfxhs32.exe
    • undefinedUserProfileundefined\igfxhs32.exe

  • If any of the following conditions are satisfied, the malware process terminates:
    • The pathname of the current process contains any of the following strings:
      • sample
      • virus
      • sand-box
      • sandbox
      • test

    • The computer or user name contains any of the following strings:
      • VMG-CLIENT
      • MORTE
      • Malekal
      • HOME-OFF-D5F0AC
      • DELL-D3E62F7E26
      • KAKAPROU-6405DA

    • The data in the registry entry HKLM\SYSTEM\ControlSet001\Services\Disk\Enum\0  contains any of the following strings:
      • VMware
      • VBox
      • Virtual
      • QEMU

    • Any of the following processes is active:
      • port
      • vbox
      • vmsrvc
      • vmware
      • sandbox
      • tcpview
      • wireshark.exe
      • regshot.exe
      • procmon.exe
      • filemon.exe
      • procmon.exe
      • regmon.exe
      • procdump.exe
      • cports.exe
      • procexp.exe
      • squid.exe
      • dumpcap.exe

    • An open window has any of the following ClassName, WindowName  pairs:
      • gdkWindowToplevel, The Wireshark Network Analyzer
      • CNetmonMainFrame, Microsoft Network Monitor 3.3
      • SmartSniff, SmartSniff
      • CurrPorts,CurrPorts
      • TCPViewClass, 0
      • PROCMON_WINDOW_CLASS, Process Monitor - Sysinternals: www.sysinternals.com
      • #32770, Regshot 1.8.2
      • PROCEXPL, 0

    • Any of the following files exist in the undefinedProgramFilesundefined folder:
      • \WinPcap\rpcapd.exe
      • \WireShark\rawshark.exe
      • \Ethereal\ethereal.html
      • \Microsoft Network Monitor 3\netmon.exe

  • It uses the following mutexes:
    • V8x
    • muipcdraotse

  • It terminates the following processes:
    • MBAMGUI.EXE
    • COMBOFIX.EXE
    • CATCHME.EXE
    • TEATIMER.EXE
    • MRT.EXE
    • MRTSTUB.EXE
    • MSMPENG.EXE
    • MSASCUI.EXE
    • MPCMDRUN.EXE
    • USBGUARD.EXE
    • BILLY.EXE

  • It terminates the process whose pathname contains any of the following strings:
    • temp
    • recycler
    • drive32.exe
    • msvmiode.exe
    • rvhost.exe
    • wudfhost.exe
    • svchos.exe
    • servicers.exe
    • uninstall_.exe
    • undmgr.exe
    • chgservice.exe
    • usbmngr.exe
    • serivces.exe
    • cmmon32.exe

  • It stops the following services:
    • CSIScanner
    • K7RTScan
    • K7TSMngr
    • DrWebEngine
    • SPIDERNT
    • DrWebCom
    • avast! Antivirus
    • avast! Firewall
    • AntiVirService
    • VSSERV
    • avgfws
    • avgwd
    • avg8wd
    • avg9wd
    • NOD32krn
    • ekrn
    • mcmscsvc
    • McShield
    • MSK80Service
    • McNASvc
    • MpfService
    • McODS
    • MpfService
    • McSysmon
    • SmcService
    • Symantec AntiVirus
    • Norton Antivirus Server
    • MBAMProtector
    • MBAMService
    • WebrootSpySweeperService
    • WRConsumerService
    • Amsp
    • SAVService
    • SAVAdminService
    • Sophos AutoUpdate Service
    • Sophos Client Firewall
    • Sophos Client Firewall Manager
    • OutpostFirewall
    • TMBMServer
    • TmPfw
    • KPF4
    • cmdAgent
    • SbPF.Launcher
    • SPF4
    • acssrv

  • It injects malicious codes into processes except the following:
    • verclsid.exe
    • rundll32.exe
    • csrss.exe

  • It creates the following registry:
    • key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
    • value: undefinedSystemundefined\igfxhs32.exe
    • data: DisableNXShowUI

  • It downloads a file from the following URL:
    • http://143.{Removed}.28/a{Removed}s/datalog2.txt


recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR

Version Updates

Date Version Detail
2019-09-17 71.67600 Sig Updated
2019-05-03 68.25100 Sig Added
2019-05-03 68.24700 Sig Updated