JS/Agent.NDSW!tr

description-logoAnalysis

JS/Agent.NDSW!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as JS/Agent.NDSW!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is an obfuscated/injected JS file that uses an observed common variable name found amongst all its variants set initially to "undefined".

  • Below are some of the sites to which some of the samples observed tried to connect to:
    • fshmakin[removed].com/fshmaki[removed].php
    • bukuip[removed].co.id/wp-admin/css/colors/blue/blue.php
    • miskininka[removed].eu/wp-admin/css/colors/blue/blue.php
    • cepekrandegi[removed]admin/css/colors/blue/blue.php
    • edulearntechnol[removed]om/acc/admin/classes/local/settings/settings.php

  • Following are some of the exact file hashes associated with this detection:
    • Md5:0038536E7A2C7E0A33ECCE977E146594
      Sha256:5fa4bd2ab99c74c3db9cc3e6c200f0572e868a8d10f795cee459a3a794e8f1fd
    • Md5:73438BFD4E605C1DD50D3B73FE9E60B0
      Sha256:46ca86c9234b1b7d252f2a5b3a9a5d6f42d566d6f7abb64939ba87bd4d3d68c6
    • Md5:D60D52BC2D30D503996FB850FA82AB64
      Sha256:4c4ff3158764f80de0fdaf8d484f7f35d551f500e021519c7c6e8c0b027e0051

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-10-07 92.07863
2024-10-04 92.07793
2024-09-09 92.07185
2024-09-05 92.07091
2024-08-28 92.06901
2024-08-27 92.06875
2024-08-26 92.06851
2024-08-05 92.06348
2024-08-02 92.06278
2024-07-24 92.06060