Threat Encyclopedia

W32/Waski.A!tr

description-logoAnalysis


  • Upon execution it drops the following files in the Temporary folder:
    • budha.exe
    • vres.exe
    These files are also detected as W32/Waski.A!tr.

  • It may download an executable file, then save it with a randomized file name to a newly created folder, also with a randomized name. At the time of this writing, the downloaded file can also be detected as W32/Waski.A!tr.

  • Another downloaded file may exist in the following folder:
    • undefinedUserProfileundefined\Local Settings\Temporary Internet Files\Content.IE5\360[1].exe
    At the time of this writing, this file can be detected as W32/Inject.AAU!tr.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
      This registry entry contains encrypted data, such as "SIeOiEUL9PURFbh7Ljadcpo2CiU65gR0O9A=".

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        [RandomFileName] = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
      This registry entry enables the downloaded file to be automatically executed every time the infected user logs on.

  • This malware has been observed to connect to remote sites with the following details:
    • 173.25{Removed}30:443
    • 216.17{Removed}13:443
    • www.unme{Removed}st.com:https
    • 205.25{Removed}75:http
    • host3554{Removed}ed.com:https
    • vpsn{Removed}me.com:https
    • 5.10{Removed}03:https

  • This malware injects itself into the Windows Explorer process.

  • It disguises itself by using the Adobe PDF icon.

  • The original malware sample is deleted after execution.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry