W32/Injector.DZKV!tr

Analysis

W32/Injector.DZKV!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/Injector.DZKV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may:
  • provide remote access to the infected computer, including keylogging and botnet functionality.
  • steal files and computer information.
  • mine cryptocurrency.
  • disable anti-virus features of Windows Defender.
  • download other malware.
  • download and install Adobe Flash Player to hide malicious background activity.
  
  
• This malware may drop any of the following file(s):
  
  • %AppData%\Install\Host.exe: This is a copy of the malware.
  • %AppData%\Chromium.exe: This is a copy of the malware.
  • %AppData%\SkypeBrowserHost\SkypeBrowserHost.exe: This is a copy of the malware.
  • %AppData%\WinHelper32.exe\WindowsHelper32.exe: This is a copy of the malware.
  • %AppData%\expllor\explor.exe: This is a copy of the malware.
  • %AppData%\dwm.exe: This is a copy of the malware.
  • %AppData%\vcugciujcbijbsucgeze\fyfsuahgvudaufeze.exe: This is a copy of the malware.
  • %AppData%/Equity Office Properties Trust.exe: This is a copy of the malware.
  • %Startup%\Wordpad.exe: This is a copy of the malware that will execute when the infected system starts up.
  • %AppData%\Microsoft\explorer.exe: This file may be detected as W32/Injector.DZKV!tr.
  • %AppData%\Microsoft\manager.exe: This file may be detected as W32/Injector.DZKV!tr.
  • %Templates%\now.exe: This file may be detected as AutoIt/Agent.DB!tr.
  • %AppData%\pos.exe: This may be a keylogger or an HTML document, if the download domain for the keylogger is no longer available.
  • %Startup%\WinHelper32.exe.vbs: This file will serve as an autostart for the malware itself.
  • %Startup%\expllor.vbs: This file will serve as an autostart for the malware itself.
  • %Startup%\list.vbs: This file will serve as an autostart for the malware itself.
  • %Startup%\vcugciujcbijbsucgeze.vbs: This file will serve as an autostart for the malware itself.
  • %Startup%\SkypeBrowserHost.vbs: This file will serve as an autostart for the malware itself.
  • %AppData%\flog.log, %AppData%\elog.log, %AppData%\grabbed.log: These files are used for logging the activities of the infected user.
  • %AppData%\Imminent\Monitoring\network.dat, %AppData%\Imminent\Monitoring\system.dat, %AppData%\Imminent\Monitoring\Logs\{date}: These files are used for logging the activities of the infected user.
  • %Temp%\{random}.bat : This Batch file deletes the original malware itself, detected as BAT/Small.NAN!tr.


• This malware may delete itself after executing.


• This malware may connect to any of the following websites:
  
  • hxxp://jus{removed}.pw/Ebkmmkke/outline/c-code/fre.php
  • hxxp://boa{removed}.com/wp-content/upgrade/panel/five/fre.php
  • hxxp://fal{removed}.com/001/Panel/five/fre.php
  • hxxp://tal{removed}.nut.cc/111bu09304/fred.php
  • hxxp://buc{removed}.website/don-wan/fred.php
  • hxxp://23a{removed}.site/diamond/plugins/keylogger.p
  • zpr{removed}.online: This domain is used for cryptocurrency mining.
  • don{removed}.ddns.net
  • ike{removed}.duckdns.org
  • www.lay{removed}.info
  • geh{removed}.ml
  • 198.54.116.221: This IP address is associated with the Loki botnet.
  • 80.233.134.202: This IP address is associated with the Loki botnet.


• This malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Netwire = %AppData%\Install\Host.exe
    • Equity Office Properties Trust = %AppData%/Equity Office Properties Trust.exe
    This automatically executes the dropped file every time the infected user logs on.
    


• This malware may schedule a Windows Task to execute itself.


• This malware may behave differently in a virtual machine.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.