W32/Systrim.A

description-logoAnalysis

  • Trojan is 32 bit with a size of 36,864 bytes
  • When Trojan is executed, it runs memory resident and creates a Mutex called “systrimit”
  • Trojan may then copy itself to the Windows\System32 folder as “Systrimit.exe” and modify the registry to run at Windows startup –
    HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\ CurrentVersion\Run\
    systrimit = C:\Windows\System32\Systrimit.exe
  • The purpose of the Trojan is to gather TCP network information and save it into a log file, possibly in the root of the C drive as “logfile.txt”

Telemetry logoTelemetry

Detection Availability

FortiGate
Extreme
FortiClient
Extended
FortiMail
Extended
FortiSandbox
Extended
FortiWeb
Extended
Web Application Firewall
Extended
FortiIsolator
Extended
FortiDeceptor
Extended
FortiEDR