W32/VBObfus.N!tr
Analysis
- c:\undefinedUserProfileundefined\baxer.com with approximate filesize of 25KB
- c:\undefinedUserProfileundefined\jeuuf.exe with approximate filesize of 160KB
- c:\undefinedUserProfileundefined\start1.exe with approximate filesize of 160KB
- c:\undefinedUserProfileundefined\eelo.com with approximate filesize of 25KB
- c:\undefinedUserProfileundefined\foayoh.com with approximate filesize of 25KB
- c:\undefinedUserProfileundefined\start1.exe with approximate filesize of 160KB
- c:\undefinedUserProfileundefined\toehey.exe with approximate filesize of 82KB
- c:\undefinedUserProfileundefined\vioziez.exe with approximate filesize of 160KB
- C:\Documents and Settings\All Users\Application Data\{16_char_filename}\{16_char_filename}.exe with approximate filesize of 345KB
- c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\@ with approximate filesize of 3KB
- c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\L with approximate filesize of 1KB
- c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\n with approximate filesize of 58KB
- c:\undefinedUserProfileundefined\Local Settings\Application Data\{d24e742d-a118-22f1-c785-3d16a7242be0}\U with approximate filesize of 1KB
- \545a6e160b1b6aa5e3f51eae8e7c321 : original malware file.
- HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32 @ = "\\.\globalroot\systemroot\Installer\{d24e742d-a118-22f1-c785-3d16a7242be0}\n."
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced ShowSuperHidden = 00000000
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run jeuuf = "c:\undefinedUserProfileundefined\jeuuf.exe \u"
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU NoAutoUpdate = 00000001
This registry corresponds to an autostart pointed out by windows for every logon of the current user.
- 111.74.{Removed}.147:27000
- 116.255.{Removed}.9:80
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |