W32/Agent.NJF!tr
Analysis
- Upon execution, it creates the folder C:\intel\.
- It then drops the following files:
- C:\intel\iexplorer.exe : This is also detected as W32/Agent.NJF!tr.
- C:\intel\update.exe : This is a copy of iexplorer.exe.
- C:\intel\11.reg : This is a text file containing the registry information to be implemented by this trojan.
- C:\intel\cc1.bat : This is a batch file script that executes iexplorer.exe.
- C:\intel\cc2.bat : This is a batch file script that creates the file 11.reg, as well as modifies the user's firewall settings. This batch file is detected as BAT/Agent.NJF!tr.
- C:\intel\cc.js : This is a one-liner Javascript that executes cc1.bat.
- C:\intel\once.bat : This is a batch file script that creates cc.js and cc2.bat. This batch file is detected as BAT/Agent.NJF!tr.
- C:\intel\once.js : This is a one-liner Javascript that creates once.bat.
- The malware also attempts to delete the following registry key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Active Setup\Installed Components\{0078EAF2-030A-466e-8DFA-C3BFE662E028}
- It then creates the following registry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0078EAF2-030A-466e-8DFA-C3BFE662E028}
- StubPath = "wscript.exe "C:\intel\cc.js""
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{0078EAF2-030A-466e-8DFA-C3BFE662E028}
- The malware creates the mutex Global\clark.
- It creates various threads among its functions to monitor connections and possibly receive updates/commands from a remote attacker.
- The malware uses NetBios-related API calls to obtain the current infected machine's host name, IP address, and MAC Address.
- The malware also attempts to send the infected host's information using the following format:
- "STARTOK|IP address|connect|port|MAC Address|User OS"
- The malware has been observed to connect to a remote site:
- 174.13{Removed}ypt.com:8888
- It also connects to the following possible command-and-control (C&C) servers:
- s5vsrnb{Removed}k11go.com
- c0fi5v{Removed}k11go.com
- sk5srv{Removed}k11go.com
- prh8v{Removed}k11go.com
- sh5wcs{Removed}k11go.com
- The port number used to connect to these servers is randomized based on a time seed and must be from 0x439 to 0xFFFF.
- The malware issues the following command lines:
- netsh advfirewall set currentprofile state off
- "undefinedSystemundefined\cmd.exe" /c once.bat
- "undefinedSystemundefined\WScript.exe" "C:\intel\once.js"
Recommended Action
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |