W32/Socks4!tr
Analysis
- Trojan is 32bit with a compressed file size of
4,128 bytes
- Trojan may have been introduced to the infected
system via a web page or an HTML format email message
- in one case, the Trojan is installed by viewing
a web page which contains ActiveX code and an object
tag -
<object data=(infectious web page)>
-
When the infectious web page is loaded, it extracts code into an executable file named "llass.exe" to the desktop and runs that file (the Trojan)
-
When Trojan is run, it may launch Internet Explorer in a hidden window and connect the infected machine with the preconfigured IP address 66.139.77.145 - the communication is made through TCP port 80
-
The Trojan then opens a random port number and awaits instructions from a hacker or group of hackers
-
In order for the hacker(s) to know what port the Trojan is listening on, the Trojan connects with the IP 66.139.77.145 and sends a request for a page and passes the port number as a variable as in the following example -
/##.php?s=1239
where "##" refers to the actual name used and "s=1239" refers to the Trojan using port 1239
- The Trojan will modify the registry to load at
Windows startup -
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"lar"=(path of Desktop)\llass.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
"lar"=(path of Desktop)\llass.exeHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\
"SLP" = D7, 04, 00, 00, 00, 00, 00, 00HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\
"SLP" = D7, 04, 00, 00, 00, 00, 00, 00
Recommended Action
- Block outbound (INT -> EXT) access to the IP address 66.139.77.145
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |