W32/Injector.DSOE!tr

description-logoAnalysis



W32/Injector.DSOE!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Injector.DSOE!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • undefinedAllUsersProfileundefined\fortnite updater\[Random].exe : This file is detected as W32/Neurevt.AAAZ!tr.
    • undefinedAppDataundefined\modding tool\moddingtool.exe : This file is a copy of the original malware itself.
    • undefinedStartUpundefined\modding tool.vbs : This VBS file will serve as an autostart for moddingtool.exe.
    • undefinedAppDataundefined\nonya\nonyaservice.exe : This file is a copy of the original malware itself.
    • undefinedAppDataundefined\nonya\*.dll : these files are currently classified none malicious.
    • undefinedCommonProgramFilesundefined\fortnite updater\[Random].exe : This file is detected as W32/Neurevt.AAAZ!tr.
    • undefinedCommonProgramFilesundefined\fortnite updater\pilwhrhat.txt : This file is non-malicious text file.
    • undefinedMyDocumentsundefined\msdcsc\msdcsc.exe : This file is a copy of the original malware itself.
    • undefinedProgramFilesundefined\agp service\agpsvc.exe : This file is a copy of the original malware itself.
    • undefinedProgramFilesundefined\scsi service\scsisvc.exe : This file is a copy of the original malware itself.
    • undefinedProgramFilesundefined\upnp monitor\upnpmon.exe : This file is a copy of the original malware itself.
    • undefinedTempundefined\[Random].exe : This file is detected as W32/Fareit.DCXV!tr.
    • undefinedTempundefined\133593.bat : This file is detected as BAT/Small.NAN!tr.

  • This malware may connect to any of the following remote sites(s):
    • larrydav{Removed}.cf
    • hxxp://larrydav{Removed}.cf/obn/blessings/shit.exe
    • hxxp://ww{Removed}.mxgaming.com/cxvcdfs/p87gd78gf.exe
    • hxxp://ww{Removed}.mxgaming.com/cxvcdfs/idsfb8sdb.exe
    • hxxp://ww{Removed}.mxgaming.com/pp/gate.php
    • hxxp://ww{Removed}.mxgaming.com/bb/logout.php
    • hxxp://larrydav{Removed}.cf/obn/blessings/gate.php

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • Fortnite updater = undefinedAllUsersProfileundefined\fortnite updater\[Random].exe
      • Microupdate = undefinedMyDocumentsundefined\msdcsc\msdcsc.exe
      • Nonya = undefinedAppDataundefined\nonya\nonyaservice.exe
      This automatically executes the dropped file every time the infected user logs on.
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Runonce
      • [Random] = undefinedCommonProgramFilesundefined\fortnite updater\[Random].exe
      • Fortnite updater = undefinedAllUsersProfileundefined\fortnite updater\[Random].exe
      Entries made by executable programs are deleted after being processed.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\Currentversion\Winlogon
      • Userinit = undefinedsystemrootundefined\system32\userinit.exe undefinedMyDocumentsundefined\msdcsc\msdcsc.exe
      This registry will cause the specified program to run whenever the user logs on.
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
      • Agp service = undefinedProgramFilesundefined\agp service\agpsvc.exe
      • Scsi service = undefinedProgramFilesundefined\scsi service\scsisvc.exe
      • Upnp monitor = undefinedProgramFilesundefined\upnp monitor\upnpmon.exe
      This registry corresponds to an autostart pointed out by windows for every restart of the host machine.

  • Some instances of this malware may have injector capabilities.

  • The original copy of the malware is deleted after execution.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2019-05-03 68.25100 Sig Added
2019-05-03 68.24700 Sig Updated