W32/Wauchos.K!tr
Analysis
W32/Wauchos.K!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Wauchos.K!tr may have varying behavior.
Below are examples of some of these behaviors:
- It copies itself to the user's profile folder, or the All Users' profile folder.
- The following registry modifications are applied:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- [Random] = "undefinedAllUsersProfileundefined\dx[Random Characters].exe"
- HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
- load = "undefinedUserProfileundefined\dx[Random Characters].exe"
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
- [Malware Filename] = "[Malware Filename]:*:Generic Host Process"
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
- It attempts to inject code into "svchost.exe" and "msiexec.exe" before terminating its original process. The injected codes enable the two processes "svchost.exe" and "msiexec.exe" to protect each other from being terminated.
- It attempts to protect its copy from being modified or deleted.
- It attempts to protect its registry keys from being modified or deleted.
- It attempts to connect to the following URLs:
- http://be{Removed}.su/alter.php
- http://planp{Removed}.com/login.php
- http://dn{Removed}.su/billing.php
- http://bizw{Removed}.net/filling.php
- http://xdq{Removed}.ru/in.php
- http://a{Removed}m0rph.su/in.php
- http://b{Removed}uehky.nl/in.php
- http://yg{Removed}hct.in/in.php
- It attempts to download files using HTTP, then executes them.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |