W32/Chimoz.AG!tr
Analysis
- Sample is packed with ASPack.
- This trojan is downloaded by W32/Dloader.MI!tr and W32/Chimoz.AD!tr.
- Attempts to downloads the following files:
- http://wz{REMOVED}/eupdate.exe : detected as W32/Chimoz.AC!tr
- http://wz{REMOVED}/explore.exe : detected as W32/Chimoz.V!tr
- http://www.wz{REMOVED}/sf/intranet.exe : detected as W32/Chimoz.AD!tr
- http://www.wz{REMOVED}/sf/iupdate.exe : detected as W32/Chimoz.AB!tr
- http://wz{REMOVED}/tupdate.exe : detected as W32/Chimoz.AF!tr
- http://wz{REMOVED}/taskmor.exe : detected as W32/Chimoz.U!tr
- http://www.wz{REMOVED}/sf/winlogin.exe : detected as W32/Chimoz.AH!tr
- http://wz{REMOVED}/sf/wupdate.exe : detected as W32/Chimoz.AB!tr
It saves the downloaded files to the Windows folder, then executes them.
- Creates the following registry entry:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Intranet = "undefinedWINDOWSundefined\intranet.exe"
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |