VirusW32/Dloader.MI!tr
Analysis
- Sample is packed with ASPack.
- This trojan is downloaded by JS/Small.CQ!tr.dldr.
- Downloads the following files:
- http://wz{REMOVED}/eupdate.exe : detected as W32/Chimoz.AC!tr
- http://wz{REMOVED}/explore.exe : detected as W32/Chimoz.V!tr
- http://wz{REMOVED}/iupdate.exe : detected as W32/Chimoz.AB!tr
- http://wz{REMOVED}/intranet.exe : detected as W32/Chimoz.AD!tr
- http://wz{REMOVED}/tupdate.exe : detected as W32/Chimoz.AF!tr
- http://wz{REMOVED}/taskmor.exe : detected as W32/Chimoz.U!tr
- http://www.wz{REMOVED}/service.exe : detected as W32/Chimoz.AG!tr
The service.exe file is saved in the undefinedWINDOWSundefined\System32 folder, while the rest of the files are saved to the Windows folder. The files are then executed.
Autostart Mechanism
- Creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Explore.exe = "undefinedWINDOWSundefined\explore.exe"
Taskmor.exe = "undefinedWINDOWSundefined\taskmor.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Intranet = ""undefinedWINDOWSundefined\ntssl.exe"
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |
Version Updates
| Date | Version | Detail |
|---|---|---|
| 2019-12-28 | 74.13400 | Sig Added |