ID	10043970
Released	Jul 14, 2022
Description Updated	Jul 22, 2021

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Threat Profile

Aliases:

NDSW
JS/Agent.PIV trojan

Platform: JS

Java Script

Update History

Date	Version	Detail
2023-03-13	91.01392
2023-03-12	91.01371
2023-03-06	91.01184
2023-02-21	91.00794
2023-02-16	91.00640
2023-02-14	91.00573
2023-01-10	90.09530
2023-01-09	90.09482
2022-11-15	90.07857
2022-10-18	90.07000

Refine Search

Threat Encyclopedia

JS/Agent.NDSW!tr

Analysis

JS/Agent.NDSW!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as JS/Agent.NDSW!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

This malware is an obfuscated/injected JS file that uses an observed common variable name found amongst all its variants set initially to "undefined".

Below are some of the sites to which some of the samples observed tried to connect to:
- fshmakin[removed].com/fshmaki[removed].php
- bukuip[removed].co.id/wp-admin/css/colors/blue/blue.php
- miskininka[removed].eu/wp-admin/css/colors/blue/blue.php
- cepekrandegi[removed]admin/css/colors/blue/blue.php
- edulearntechnol[removed]om/acc/admin/classes/local/settings/settings.php

Following are some of the exact file hashes associated with this detection:
- Md5:0038536E7A2C7E0A33ECCE977E146594
  Sha256:5fa4bd2ab99c74c3db9cc3e6c200f0572e868a8d10f795cee459a3a794e8f1fd
- Md5:73438BFD4E605C1DD50D3B73FE9E60B0
  Sha256:46ca86c9234b1b7d252f2a5b3a9a5d6f42d566d6f7abb64939ba87bd4d3d68c6
- Md5:D60D52BC2D30D503996FB850FA82AB64
  Sha256:4c4ff3158764f80de0fdaf8d484f7f35d551f500e021519c7c6e8c0b027e0051

Recommended Action

Make sure that your FortiGate/FortiClient system is using the latest AV database.
Quarantine/delete files that are detected and replace infected files with clean backup copies.

Network

Files and Endpoint

Application