W32/Bublik.CHRL!tr
Analysis
W32/Bublik.CHRL!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Bublik.CHRL!tr may have varying behavior.
Below are examples of some of these behavior:
- Upon execution, it drops the following files:
- undefinedTempundefined\[RandomFilename_0].exe, e.g., undefinedTempundefined\cenc.exe : This file is detected as W32/Bublik.CHRL!tr
- undefinedTempundefined\[RandomFoldername]\[RandomFilename_1].exe, e.g., undefinedTempT\yjyxer\ywgu.exe : This file is detected as W32/Zbot.AAU!tr.
- undefinedSystemundefined\drivers\[RandomFilename_2].sys, e.g., undefinedSystemundefined\drivers\70df040fcb3fc461.sys: This file is detected as W32/Necurs.IY!tr.rkit.
- The following registry modifications are applied:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[RandomFilename_2]
- HKEY_CURRENT_USER\Identities\{CLSID}
- Identity Ordinal = 00000001
- HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
- [RandomRegistryField] = [EncryptedRegistryValue] This registry data are usually encrypted with the RC4 algorithm and will appear like random strings similar to the ones above. This data may contain information about the bot such as its command-and-control (C&C) server links, its own version number, and local configuration details.
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [RandomFilename_1] = ""undefinedTempundefined\[RandomFoldername]\[RandomFilename_1].exe"" This automatically executes the dropped file every time the infected user logs on.
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DisableNotifications = 00000001 This registry entry disables firewall notifications.
- This malware disguises itself by using Adobe PDF icon.
- The malware injects codes into explorer.exe.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |