W32/Chimoz.AD!tr

description-logoAnalysis

  • Sample is packed with ASPack.
  • This trojan is downloaded by W32/Dloader.MI!tr and W32/Chimoz.AB!tr.
  • Attempts to downloads the following files:
    • http://wz{REMOVED}/eupdate.exe : detected as W32/Chimoz.AC!tr
    • http://wz{REMOVED}/explore.exe : detected as W32/Chimoz.V!tr
    • http://www.wz{REMOVED}/service.exe : detected as W32/Chimoz.AG!tr
    • http://wz{REMOVED}/tupdate.exe : detected as W32/Chimoz.AF!tr
    • http://wz{REMOVED}/taskmor.exe : detected as W32/Chimoz.U!tr
    • http://www.wz{REMOVED}/sf/winlogin.exe : detected as W32/Chimoz.AH!tr
    • http://www.wz{REMOVED}/sf/wupdate.exe : detected as W32/Chimoz.AB!tr

    The service.exe  file is saved in the undefinedWINDOWSundefined\System32 folder, while the rest of the files are saved to the Windows folder. The files are then executed.
  • Creates the following registry entries:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      Explore.exe = "undefinedWINDOWSundefined\explore.exe"
      Taskmor.exe = "undefinedWINDOWSundefined\taskmor.exe"
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
      Intranet = "undefinedWINDOWSundefined\intranet.exe"
  • Connects to the following URL:
    http://wz{REMOVED}/sf/versioni.txt

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.

Telemetry logoTelemetry

Detection Availability

FortiClient
Extreme
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR