W32/Kwampirs.XWA!tr
Analysis
W32/Kwampirs.XWA!tr is a highly generic detection for a Kwampirs Trojan.
Since this is a generic detection, malware that are detected as W32/Kwampirs.XWA!tr may have varying behaviour.
Below are examples of some of these behaviours:
- Upon execution this malware drops a data file %Windows%\inf\ie11.PNF.
- The following service related registry modifications are applied:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WmiApSrvEx
- ImagePath = %SystemRoot%\system32\[OriginalMalwareExecuted].exe
- DisplayName = "WMI Performance Adapter Extension"
- DependOnService = RpcSs
- ObjectName "LocalSystem"
- Description "Provides extensional information of performance library from Windows Management Instrumentation (WMI)."
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\WmiApSrvEx
- Upon execution, the malware displays the following:
- Figure 1: Display during execution.
- This malware has been associated with an attack known as Orange Worm. The malware was involved in targetting some medical/health care equipment/facilities through its backdoor capabilities. The malware was known to have spread through network shares within the local network.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2020-07-23 | 79.08500 | Sig Updated |
2020-05-21 | 77.59200 | Sig Added |
2020-05-19 | 77.53700 | Sig Updated |
2020-04-21 | 76.87400 | Sig Updated |
2020-04-21 | 76.87100 | Sig Updated |
2020-04-21 | 76.86800 | Sig Updated |
2020-02-13 | 75.23900 | Sig Updated |
2019-06-25 | 69.51800 | Sig Updated |
2019-05-03 | 68.25100 | Sig Updated |
2019-05-03 | 68.25000 | Sig Updated |