VirusJS/Agent.C216!tr.dldr
Analysis
JS/Agent.C216!tr.dldr is a generic detection for a Javascript downloader trojan exploits Office DDE. Since this is a generic detection, malware that are detected as JS/Agent.C216!tr.dldr may have varying behaviour.
Below are some of its observed
characteristics/behaviours:
- Using an MSOffice DDE exploit, this malware intends to load and execute the Javascript instructions that will drop in %Temp%\[Random].sct and downloads the following:
- %Temp%\[Random].sct: The dropped file detected as JS/Agent.RNU!tr.dldr.
- %AppData%\[Random].exe: This file is detected as W32/GenKryptik.AYEB!tr.
- The issued powershell comamnd attempts to download from the following URL:
- hxxp://b.reic{Removed}.io/llsdwk.exe
- hxxp://b.reic{Removed}.io/yrrvbl.exe
- hxxp://19{Removed}.189.25.17/cgbin/mine.exe
- hxxp://19{Removed}.189.25.17/cgbin/ukbros001.exe
- hxxp://b.reic{Removed}.io/mrksbz.exe
- hxxp://b.reic{Removed}.io/bhzczx.exe
- hxxp://19{Removed}.189.25.17/cgbin/dew002.exe
- hxxp://19{Removed}.189.25.17/cgbin/ukbros002.exe
- hxxp://b.reic{Removed}.io/woqayp.exe
- hxxp://b.reic{Removed}.io/fmckqu.exe
- hxxp://19{Removed}.189.25.17/cgbin/joh001.exe
- This downloader malware usually arrives in the form of an RTF/Word document similar to the ones below:
- Figure 1: Infected document.
- Figure 2: Microsoft Office Prompt Warning.
- Figure 3: Microsoft Office Prompt Warning.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2018-12-25 | 65.15600 | Sig Updated |