W32/Waski.A!tr
Analysis
- Upon execution it drops the following files in the Temporary folder:
- budha.exe
- vres.exe
- It may download an executable file, then save it with a randomized file name to a newly created folder, also with a randomized name. At the time of this writing, the downloaded file can also be detected as W32/Waski.A!tr.
- Another downloaded file may exist in the following folder:
- undefinedUserProfileundefined\Local Settings\Temporary Internet Files\Content.IE5\360[1].exe
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
This registry entry contains encrypted data, such as "SIeOiEUL9PURFbh7Ljadcpo2CiU65gR0O9A=".
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
[RandomFileName] = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
This registry entry enables the downloaded file to be automatically executed every time the infected user logs on.
- HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
- This malware has been observed to connect to remote sites with the following details:
- 173.25{Removed}30:443
- 216.17{Removed}13:443
- www.unme{Removed}st.com:https
- 205.25{Removed}75:http
- host3554{Removed}ed.com:https
- vpsn{Removed}me.com:https
- 5.10{Removed}03:https
- This malware injects itself into the Windows Explorer process.
- It disguises itself by using the Adobe PDF icon.
- The original malware sample is deleted after execution.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |