Virus

W32/Agent.AJFK!tr

Analysis



W32/Agent.AJFK!tr is a generic detection for a Key-logger/Botnet/Downloader trojan. Since this is a generic detection, malware that are detected as W32/Agent.AJFK!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware may drop any of the following file(s):
    • %systemroot%\system\cmsys.cmn : This file is non-malicious.
    • %systemroot%\system\spoolsv.exe: This file is detected as W32/Agent.AJFK!tr.
    • %systemroot%\system\explorer.exe: This file is detected as W32/Agent.AJFK!tr.
    • %systemroot%\system\svchost.exe: This file is detected as W32/Agent.AJFK!tr.
    • %appdata%\mrsys.exe: This file is detected as W32/Agent.AJFK!tr.
    • %Appdata%\[Random1]\[Random2].lck: This file is non-malicious.
    • %Appdata%\[Random1]\[Random2].exe: This file is detected as W32/Agent.AJFK!tr.
    • %temp%\[Random].tmp: This file is non-malicious.
    • %Appdata%\svchost.exe: This file is the copy of the original malware itself.
    • %startup%\wordpad.exe: This file is the copy of the original malware itself.
    • %Appdata%\dwm.exe: This file is the copy of the original malware itself.

  • This malware may connect to any of the following remote site(s):
    • naval.duckdn{Removed}.org
    • quantumeqyp{Removed}.com
    • lopxin{Removed}.bid
    • 23ac{Removed}.site
    • hxxp://cm-g{Removed}.com /new/five/five/fre.php
    • hxxp://23ac{Removed}.site/fox/plugins/keylogger.p
    • hxxp://23ac{Removed}.site/fox/plugins/ftp.p

  • This malware may apply any of the following registry modification(s):
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
      • Explorer = %systemroot%\explorer.exe RO
      This automatically executes the dropped file every time a new user logs in.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\RunOnce
      • Svchost = %systemroot%\svchost.exe RO
      This automatically executes the dropped file every time a new user logs in.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Currentversion\Winlogon
      • Shell = %systemroot%\explorer.exe, c:\windows\system\explorer.exe
      This automatically executes the dropped file every time the user logs in.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
      • ShowSuperHidden = 0
      This registry entry hides the supper-hidden files when set to false.

  • Some instances of this malware has been observed to download and run information stealing trojans which are capable of stealing credentials from browsers, ftp clients, and email client, along with the capability of stealing bitcoin wallets and attempt keylogging/screenshots.



Recommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.