W32/Chimoz.AD!tr
Analysis
- Sample is packed with ASPack.
- This trojan is downloaded by W32/Dloader.MI!tr and W32/Chimoz.AB!tr.
- Attempts to downloads the following files:
- http://wz{REMOVED}/eupdate.exe : detected as W32/Chimoz.AC!tr
- http://wz{REMOVED}/explore.exe : detected as W32/Chimoz.V!tr
- http://www.wz{REMOVED}/service.exe : detected as W32/Chimoz.AG!tr
- http://wz{REMOVED}/tupdate.exe : detected as W32/Chimoz.AF!tr
- http://wz{REMOVED}/taskmor.exe : detected as W32/Chimoz.U!tr
- http://www.wz{REMOVED}/sf/winlogin.exe : detected as W32/Chimoz.AH!tr
- http://www.wz{REMOVED}/sf/wupdate.exe : detected as W32/Chimoz.AB!tr
The service.exe file is saved in the undefinedWINDOWSundefined\System32 folder, while the rest of the files are saved to the Windows folder. The files are then executed.
- Creates the following registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Explore.exe = "undefinedWINDOWSundefined\explore.exe"
Taskmor.exe = "undefinedWINDOWSundefined\taskmor.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Intranet = "undefinedWINDOWSundefined\intranet.exe" - Connects to the following URL:
http://wz{REMOVED}/sf/versioni.txt
Recommended Action
-
FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |