VirusW32/Procil.A
Analysis
This is a 32-bit keylogger with a file size of 100,572
bytes. This Trojan may have been spammed to email recipients
by a malicious user in an effort to maximize the chance
of someone executing the file.
If the Trojan is run, it will copy itself to the System32
folder as "Explorer.exe" and then run the
copy. When "Explorer.exe" is run, it loads
as a task and is visible using the utility Task Manager.
The Trojan will then begin to gather sensitive information
and store as two files - ".s" and ".l".
Contents of data files:
.s - machine information such as attached drives, environment
variables, etc.
.l - clipboard memory, list of running applications
and processes
SMTP Outbound Messages
The Trojan then combines the two files into a .ZIP renamed
as "Log0.kla". An email message is sent to
the author of the Trojan along with the attached file.
The email message is in this format -
From: SCKLPRO <admin@kaplishnetwork.com>
To: <ajeeb@hotpop.com>
Subject: Report of undefinedMachine Nameundefined
Body:
SC-KeyLog Activity Report
AutoKill: This Engine will delete itself after 2048
days from now.
See attached file...
Document created by SC-KeyLog
Attachment: "Log0.kla"
Recommended Action
Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiGate | |
|---|---|
| Extended | |
| FortiClient | |
| Extreme | |
| FortiAPS | |
| FortiAPU | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |