W32/Agent.NJF!tr

Analysis

• Upon execution, it creates the folder C:\intel\.


• It then drops the following files:
  
  • C:\intel\iexplorer.exe : This is also detected as W32/Agent.NJF!tr.
  • C:\intel\update.exe : This is a copy of iexplorer.exe.
  • C:\intel\11.reg : This is a text file containing the registry information to be implemented by this trojan.
  • C:\intel\cc1.bat : This is a batch file script that executes iexplorer.exe.
  • C:\intel\cc2.bat : This is a batch file script that creates the file 11.reg, as well as modifies the user's firewall settings. This batch file is detected as BAT/Agent.NJF!tr.
  • C:\intel\cc.js : This is a one-liner Javascript that executes cc1.bat.
  • C:\intel\once.bat : This is a batch file script that creates cc.js  and cc2.bat. This batch file is detected as BAT/Agent.NJF!tr.
  • C:\intel\once.js : This is a one-liner Javascript that creates once.bat.


• The malware also attempts to delete the following registry key:
  
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{0078EAF2-030A-466e-8DFA-C3BFE662E028}


• It then creates the following registry key:
  
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0078EAF2-030A-466e-8DFA-C3BFE662E028}
    
    • StubPath = "wscript.exe "C:\intel\cc.js""


• The malware creates the mutex Global\clark.


• It creates various threads among its functions to monitor connections and possibly receive updates/commands from a remote attacker.


• The malware uses NetBios-related API calls to obtain the current infected machine's host name, IP address, and MAC Address.


• The malware also attempts to send the infected host's information using the following format:
  
  • "STARTOK|IP address|connect|port|MAC Address|User OS"


• The malware has been observed to connect to a remote site:
  
  • 174.13{Removed}ypt.com:8888


• It also connects to the following possible command-and-control (C&C) servers:
  
  • s5vsrnb{Removed}k11go.com
  • c0fi5v{Removed}k11go.com
  • sk5srv{Removed}k11go.com
  • prh8v{Removed}k11go.com
  • sh5wcs{Removed}k11go.com
    
    • The port number used to connect to these servers is randomized based on a time seed and must be from 0x439 to 0xFFFF.


• The malware issues the following command lines:
  
  • netsh advfirewall set currentprofile state off
  • "undefinedSystemundefined\cmd.exe" /c once.bat
  • "undefinedSystemundefined\WScript.exe" "C:\intel\once.js"

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

• Quarantine/delete files that are detected and replace infected files with clean backup copies.