JS/Agent.NDSW!tr
Analysis
JS/Agent.NDSW!tr is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as JS/Agent.NDSW!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware is an obfuscated/injected JS file that uses an observed common variable name found amongst all its variants set initially to "undefined".
- Below are some of the sites to which some of the samples observed tried to connect to:
- fshmakin[removed].com/fshmaki[removed].php
- bukuip[removed].co.id/wp-admin/css/colors/blue/blue.php
- miskininka[removed].eu/wp-admin/css/colors/blue/blue.php
- cepekrandegi[removed]admin/css/colors/blue/blue.php
- edulearntechnol[removed]om/acc/admin/classes/local/settings/settings.php
- Following are some of the exact file hashes associated with this detection:
- Md5:0038536E7A2C7E0A33ECCE977E146594
Sha256:5fa4bd2ab99c74c3db9cc3e6c200f0572e868a8d10f795cee459a3a794e8f1fd - Md5:73438BFD4E605C1DD50D3B73FE9E60B0
Sha256:46ca86c9234b1b7d252f2a5b3a9a5d6f42d566d6f7abb64939ba87bd4d3d68c6 - Md5:D60D52BC2D30D503996FB850FA82AB64
Sha256:4c4ff3158764f80de0fdaf8d484f7f35d551f500e021519c7c6e8c0b027e0051
- Md5:0038536E7A2C7E0A33ECCE977E146594
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |