W32/Waski.B!tr

description-logoAnalysis


This detection has been found to be related to the Upatre malware.

  • It copies itself to the Temporary folder as kohanwere.exe.

  • It drops the following files:
    • undefinedTempundefined\[RandomName].exe : This file is a malicious executable file that uses the Windows XP platform.
    • undefinedLocalAppDataundefined\[RandomName_1].exe : This file is a malicious executable file that uses the Windows 7 platform.
    • undefinedLocalAppDataundefined\Temporary Internet Files\Content.IE5\[RandomName_2]\[RandomName_3].zip : This is a malicious zip file.
    • undefinedLocalAppDataundefined\Temporary Internet Files\Content.IE5\[RandomName_4]\[RandomName_5].txt

  • It creates the following mutexes to make sure that only one instance of itself is running:
    • ZonesCacheCounterMutex
    • ZonesLockedCacheCounterMutex

  • The malware disguises itself by using the PDF icon.

  • The original malware file is deleted after execution.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-02-21 91.00794
2023-02-16 91.00640
2023-02-14 91.00573
2023-01-09 90.09495
2023-01-03 90.09317
2022-12-20 90.08897
2022-12-12 90.08671
2022-11-18 90.07952
2022-11-18 90.07946
2022-11-16 90.07887