W32/Injector.DZKV!tr
Analysis
W32/Injector.DZKV!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Injector.DZKV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may:
- provide remote access to the infected computer, including keylogging and botnet functionality.
- steal files and computer information.
- mine cryptocurrency.
- disable anti-virus features of Windows Defender.
- download other malware.
- download and install Adobe Flash Player to hide malicious background activity.
- This malware may drop any of the following file(s):
- %AppData%\Install\Host.exe: This is a copy of the malware.
- %AppData%\Chromium.exe: This is a copy of the malware.
- %AppData%\SkypeBrowserHost\SkypeBrowserHost.exe: This is a copy of the malware.
- %AppData%\WinHelper32.exe\WindowsHelper32.exe: This is a copy of the malware.
- %AppData%\expllor\explor.exe: This is a copy of the malware.
- %AppData%\dwm.exe: This is a copy of the malware.
- %AppData%\vcugciujcbijbsucgeze\fyfsuahgvudaufeze.exe: This is a copy of the malware.
- %AppData%/Equity Office Properties Trust.exe: This is a copy of the malware.
- %Startup%\Wordpad.exe: This is a copy of the malware that will execute when the infected system starts up.
- %AppData%\Microsoft\explorer.exe: This file may be detected as W32/Injector.DZKV!tr.
- %AppData%\Microsoft\manager.exe: This file may be detected as W32/Injector.DZKV!tr.
- %Templates%\now.exe: This file may be detected as AutoIt/Agent.DB!tr.
- %AppData%\pos.exe: This may be a keylogger or an HTML document, if the download domain for the keylogger is no longer available.
- %Startup%\WinHelper32.exe.vbs: This file will serve as an autostart for the malware itself.
- %Startup%\expllor.vbs: This file will serve as an autostart for the malware itself.
- %Startup%\list.vbs: This file will serve as an autostart for the malware itself.
- %Startup%\vcugciujcbijbsucgeze.vbs: This file will serve as an autostart for the malware itself.
- %Startup%\SkypeBrowserHost.vbs: This file will serve as an autostart for the malware itself.
- %AppData%\flog.log, %AppData%\elog.log, %AppData%\grabbed.log: These files are used for logging the activities of the infected user.
- %AppData%\Imminent\Monitoring\network.dat, %AppData%\Imminent\Monitoring\system.dat, %AppData%\Imminent\Monitoring\Logs\{date}: These files are used for logging the activities of the infected user.
- %Temp%\{random}.bat : This Batch file deletes the original malware itself, detected as BAT/Small.NAN!tr.
- This malware may delete itself after executing.
- This malware may connect to any of the following websites:
- hxxp://jus{removed}.pw/Ebkmmkke/outline/c-code/fre.php
- hxxp://boa{removed}.com/wp-content/upgrade/panel/five/fre.php
- hxxp://fal{removed}.com/001/Panel/five/fre.php
- hxxp://tal{removed}.nut.cc/111bu09304/fred.php
- hxxp://buc{removed}.website/don-wan/fred.php
- hxxp://23a{removed}.site/diamond/plugins/keylogger.p
- zpr{removed}.online: This domain is used for cryptocurrency mining.
- don{removed}.ddns.net
- ike{removed}.duckdns.org
- www.lay{removed}.info
- geh{removed}.ml
- 198.54.116.221: This IP address is associated with the Loki botnet.
- 80.233.134.202: This IP address is associated with the Loki botnet.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Netwire = %AppData%\Install\Host.exe
- Equity Office Properties Trust = %AppData%/Equity Office Properties Trust.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- This malware may schedule a Windows Task to execute itself.
- This malware may behave differently in a virtual machine.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |