W32/Injector.DSOE!tr
Analysis
W32/Injector.DSOE!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Injector.DSOE!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- undefinedAllUsersProfileundefined\fortnite updater\[Random].exe : This file is detected as W32/Neurevt.AAAZ!tr.
- undefinedAppDataundefined\modding tool\moddingtool.exe : This file is a copy of the original malware itself.
- undefinedStartUpundefined\modding tool.vbs : This VBS file will serve as an autostart for moddingtool.exe.
- undefinedAppDataundefined\nonya\nonyaservice.exe : This file is a copy of the original malware itself.
- undefinedAppDataundefined\nonya\*.dll : these files are currently classified none malicious.
- undefinedCommonProgramFilesundefined\fortnite updater\[Random].exe : This file is detected as W32/Neurevt.AAAZ!tr.
- undefinedCommonProgramFilesundefined\fortnite updater\pilwhrhat.txt : This file is non-malicious text file.
- undefinedMyDocumentsundefined\msdcsc\msdcsc.exe : This file is a copy of the original malware itself.
- undefinedProgramFilesundefined\agp service\agpsvc.exe : This file is a copy of the original malware itself.
- undefinedProgramFilesundefined\scsi service\scsisvc.exe : This file is a copy of the original malware itself.
- undefinedProgramFilesundefined\upnp monitor\upnpmon.exe : This file is a copy of the original malware itself.
- undefinedTempundefined\[Random].exe : This file is detected as W32/Fareit.DCXV!tr.
- undefinedTempundefined\133593.bat : This file is detected as BAT/Small.NAN!tr.
- This malware may connect to any of the following remote sites(s):
- larrydav{Removed}.cf
- hxxp://larrydav{Removed}.cf/obn/blessings/shit.exe
- hxxp://ww{Removed}.mxgaming.com/cxvcdfs/p87gd78gf.exe
- hxxp://ww{Removed}.mxgaming.com/cxvcdfs/idsfb8sdb.exe
- hxxp://ww{Removed}.mxgaming.com/pp/gate.php
- hxxp://ww{Removed}.mxgaming.com/bb/logout.php
- hxxp://larrydav{Removed}.cf/obn/blessings/gate.php
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Fortnite updater = undefinedAllUsersProfileundefined\fortnite updater\[Random].exe
- Microupdate = undefinedMyDocumentsundefined\msdcsc\msdcsc.exe
- Nonya = undefinedAppDataundefined\nonya\nonyaservice.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Runonce
- [Random] = undefinedCommonProgramFilesundefined\fortnite updater\[Random].exe
- Fortnite updater = undefinedAllUsersProfileundefined\fortnite updater\[Random].exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon
- Userinit = undefinedsystemrootundefined\system32\userinit.exe undefinedMyDocumentsundefined\msdcsc\msdcsc.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
- Agp service = undefinedProgramFilesundefined\agp service\agpsvc.exe
- Scsi service = undefinedProgramFilesundefined\scsi service\scsisvc.exe
- Upnp monitor = undefinedProgramFilesundefined\upnp monitor\upnpmon.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Some instances of this malware may have injector capabilities.
- The original copy of the malware is deleted after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |