W32/Waski.B!tr
Analysis
This detection has been found to be related to the Upatre malware.
- It copies itself to the Temporary folder as kohanwere.exe.
- It drops the following files:
- undefinedTempundefined\[RandomName].exe : This file is a malicious executable file that uses the Windows XP platform.
- undefinedLocalAppDataundefined\[RandomName_1].exe : This file is a malicious executable file that uses the Windows 7 platform.
- undefinedLocalAppDataundefined\Temporary Internet Files\Content.IE5\[RandomName_2]\[RandomName_3].zip : This is a malicious zip file.
- undefinedLocalAppDataundefined\Temporary Internet Files\Content.IE5\[RandomName_4]\[RandomName_5].txt
- It creates the following mutexes to make sure that only one instance of itself is running:
- ZonesCacheCounterMutex
- ZonesLockedCacheCounterMutex
- The malware disguises itself by using the PDF icon.
- The original malware file is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |