W32/PWS.Y!tr

Analysis

W32/PWS.Y!tr is a highly generic detection for a trojan and possible attacker tools. Since this is a generic detection, malware that are detected as W32/PWS.Y!tr may have varying behaviour.
Below are examples of some of these behaviours:

• During our tests, some instances of this malware may drop any of the following file(s):
  
  • %AppData%\1337\21.01.18.exe : This file is currently detected as W32/PWS.Y!tr.
  • %AppData%\1337\joinResult.exe : This file is currently detected as W32/PWS.Y!tr.
  • %AppData%\1337\mm.exe : This file is currently detected as W32/CoinMiner.DQ!tr.
  • %AppData%\system\svchost.exe : This file is currently detected as Riskware/BitMiner.
  • %RootDir%\Log\build.exe : This file is currently detected as Riskware/BitCoinMiner.
  • %ProgramData%\Windows\System32\x64\afdf598d77d6cbb1453204382b7a3c48e7b20daf1efc336c03ead96a8e36a70c : This file is currently detected as PossibleThreat.
  • %ProgramData%\olly.exe : This file is currently detected as PossibleThreat.
  • %ProgramData%\Windows\System32\x64\afdf598d77d6cbb1453204382b7a3c48e7b20daf1efc336c03ead96a8e36a70c : This file is currently detected as PossibleThreat.
  • %AppData\1337\Fan.exe : This file is currently detected as Generik.JEPNUSQ!tr.
  • %ProgramFiles%\miped\qwiget\this is wiiiget!.exe : This file is currently rated none malicious application.
  • %SystemDrive%\log\shfhc.vbs : At the time of the test this file failed to be dropped.
  • %Temp%\d3dx11_31.dll : At the time of the test this file failed to be dropped.


• This malware may connect to any of the following remote sites(s):
  
  • mosol{Removed}.com
  • xm{Removed}.pool.minergate.com
  • iplogge{Removed}.com
  • hxxp://mosol{Removed}.com/hfUJRMDK64HDF/gate.php
  • hxxp://mosol{Removed}.com/hfUJRMDK64HDF/file/relse.exe


• This malware may apply any of the following registry modification(s):
  
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
    
    • Fant = %SystemDrive%\log\shfhc.vbs
    This registry corresponds to an autostart pointed out by windows for every restart of the host machine.
    
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • This is wiiiget! = %ProgramFiles%\miped\qwiget\this is wiiiget!.exe
    • Directx 11 = rundll32 %Temp%\d3dx11_31.dll includes_func_runnded
    This automatically executes the dropped file every time the infected user logs on.
    


• Some samples belonging to this detection have attacker tools like behavior, much like a Riskware.


• Some instance of this detection may also have coin mining capabilities.


• Some instances of this malware may displays any of the following user interface:
  

  Figure 1: Prompt Message.

  
  

  Figure 2: Prompt Message.

  
  

  Figure 3: Prompt Message.

  
  

  Figure 4: User Interface.

  
  

  Figure 5: User Interface.

  
  

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.