W32/Agent.AJFK!tr

description-logoAnalysis



W32/Agent.AJFK!tr is a generic detection for a Key-logger/Botnet/Downloader trojan. Since this is a generic detection, malware that are detected as W32/Agent.AJFK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %systemroot%\system\cmsys.cmn : This file is non-malicious.
    • %systemroot%\system\spoolsv.exe: This file is detected as W32/Agent.AJFK!tr.
    • %systemroot%\system\explorer.exe: This file is detected as W32/Agent.AJFK!tr.
    • %systemroot%\system\svchost.exe: This file is detected as W32/Agent.AJFK!tr.
    • %appdata%\mrsys.exe: This file is detected as W32/Agent.AJFK!tr.
    • %Appdata%\[Random1]\[Random2].lck: This file is non-malicious.
    • %Appdata%\[Random1]\[Random2].exe: This file is detected as W32/Agent.AJFK!tr.
    • %temp%\[Random].tmp: This file is non-malicious.
    • %Appdata%\svchost.exe: This file is the copy of the original malware itself.
    • %startup%\wordpad.exe: This file is the copy of the original malware itself.
    • %Appdata%\dwm.exe: This file is the copy of the original malware itself.

  • This malware may connect to any of the following remote site(s):
    • naval.duckdn{Removed}.org
    • quantumeqyp{Removed}.com
    • lopxin{Removed}.bid
    • 23ac{Removed}.site
    • hxxp://cm-g{Removed}.com /new/five/five/fre.php
    • hxxp://23ac{Removed}.site/fox/plugins/keylogger.p
    • hxxp://23ac{Removed}.site/fox/plugins/ftp.p

  • This malware may apply any of the following registry modification(s):
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
      • Explorer = %systemroot%\explorer.exe RO
      This automatically executes the dropped file every time a new user logs in.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
      • Svchost = %systemroot%\svchost.exe RO
      This automatically executes the dropped file every time a new user logs in.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Currentversion\Winlogon
      • Shell = %systemroot%\explorer.exe, c:\windows\system\explorer.exe
      This automatically executes the dropped file every time the user logs in.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • ShowSuperHidden = 0
      This registry entry hides the supper-hidden files when set to false.

  • Some instances of this malware has been observed to download and run information stealing trojans which are capable of stealing credentials from browsers, ftp clients, and email client, along with the capability of stealing bitcoin wallets and attempt keylogging/screenshots.



recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-02-27 91.00982
2023-02-16 91.00655
2023-02-16 91.00640
2023-02-14 91.00565
2022-12-27 90.09105
2022-12-20 90.08897
2022-11-15 90.07857
2022-10-11 90.06790
2022-10-04 90.06580
2022-09-27 90.06370