W32/Agent.AJFK!tr
Analysis
W32/Agent.AJFK!tr is a generic detection for a Key-logger/Botnet/Downloader trojan. Since this is a generic detection, malware that are detected as W32/Agent.AJFK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %systemroot%\system\cmsys.cmn : This file is non-malicious.
- %systemroot%\system\spoolsv.exe: This file is detected as W32/Agent.AJFK!tr.
- %systemroot%\system\explorer.exe: This file is detected as W32/Agent.AJFK!tr.
- %systemroot%\system\svchost.exe: This file is detected as W32/Agent.AJFK!tr.
- %appdata%\mrsys.exe: This file is detected as W32/Agent.AJFK!tr.
- %Appdata%\[Random1]\[Random2].lck: This file is non-malicious.
- %Appdata%\[Random1]\[Random2].exe: This file is detected as W32/Agent.AJFK!tr.
- %temp%\[Random].tmp: This file is non-malicious.
- %Appdata%\svchost.exe: This file is the copy of the original malware itself.
- %startup%\wordpad.exe: This file is the copy of the original malware itself.
- %Appdata%\dwm.exe: This file is the copy of the original malware itself.
- This malware may connect to any of the following remote site(s):
- naval.duckdn{Removed}.org
- quantumeqyp{Removed}.com
- lopxin{Removed}.bid
- 23ac{Removed}.site
- hxxp://cm-g{Removed}.com /new/five/five/fre.php
- hxxp://23ac{Removed}.site/fox/plugins/keylogger.p
- hxxp://23ac{Removed}.site/fox/plugins/ftp.p
- This malware may apply any of the following registry modification(s):
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
- Explorer = %systemroot%\explorer.exe RO
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
- Svchost = %systemroot%\svchost.exe RO
- HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Currentversion\Winlogon
- Shell = %systemroot%\explorer.exe, c:\windows\system\explorer.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- ShowSuperHidden = 0
- Some instances of this malware has been observed to download and run information stealing trojans which are capable of stealing credentials from browsers, ftp clients, and email client, along with the capability of stealing bitcoin wallets and attempt keylogging/screenshots.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |