{"id":22559,"date":"2024-06-05T14:52:17","date_gmt":"2024-06-05T14:52:17","guid":{"rendered":"https:\/\/gridinsoft.com\/blogs\/?p=22559"},"modified":"2024-06-05T21:14:21","modified_gmt":"2024-06-05T21:14:21","slug":"behavior-win32-fynloski-gen-a","status":"publish","type":"post","link":"https:\/\/gridinsoft.com\/blogs\/behavior-win32-fynloski-gen-a\/","title":{"rendered":"Behavior:Win32\/Fynloski.gen!A"},"content":{"rendered":"

Behavior:Win32\/Fynloski.gen!A is a heuristic detection of Microsoft Defender<\/strong> that flags activities of Fynloski malware. This malicious program allows attackers to control the infected system and install other malware remotely. Such malware usually spreads through email attachments and software from low-trust sources.<\/p>\n

Behavior:Win32\/Fynloski.gen!A Overview<\/h2>\n

Behavior:Win32\/Fynloski.gen!A is a detection name used by Microsoft Defender to identify a specific type of malicious behavior associated with the Fynloski malware family. This malware group is not a stand-alone family, but rather a group of malicious programs that share code similarities. It’s a heuristic detection<\/a>, meaning it detects Fynloski-like malware based on its actions rather than a specific signature.<\/p>\n

\"Behavior:Win32\/Fynloski.gen!A
Behavior:Win32\/Fynloski.gen!A Detection<\/figcaption><\/figure>\n

Fynloski malware typically allows attackers to control the infected system remotely, a normal function for a backdoor<\/a>. It can steal sensitive information such as passwords, personal data, and banking details, capture screenshots, record keystrokes, monitor user activities – overall, act as spyware<\/a>. It can also download and install other malicious software onto the infected system. Win32\/Fynloski spreads through email attachments, downloads from compromised websites, and software from untrusted sources.<\/p>\n

Technical Analysis<\/h2>\n

Let’s look at how this works using a specific example<\/a>. After infiltrating the system, it performs checks typical of most malware to detect the presence of a virtual environment or debugger<\/strong>. The malware checks the following locations:<\/p>\n

HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Session Manager\\SafeProcessSearchMode
\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\GRE_Initialize
\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\PolicyManager\\default\\System\\ConfigureTelemetryOptInSettingsUx<\/code><\/p>\n

These files and keys can contain information about configurations used for security and telemetry collection in virtual environments. The malware quits further execution shall it find any traces of the virtualization here.<\/p>\n

After finishing the initial checks, Fynloski collects system information. This information does not include confidential data; its purpose is to create a digital fingerprint of the system<\/strong> for future identification. The malware collects information from the following locations:<\/p>\n

C:\\Windows\\AppCompat\\Programs\\Amcache.hve
\nC:\\Windows\\System32\\drivers
\nHKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion
\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion
\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\DataCollection
\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\Windows Error Reporting
\nHKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Control\\Lsa\\FipsAlgorithmPolicy<\/code><\/p>\n

The first file contains information about recently launched programs and installed software, which can provide insight into the system configuration and installed applications. The subsequent registry keys contain information about the user and OS settings.<\/p>\n

To avoid detection, the reviewed sample uses standard encoding algorithms. This, however, differs from one sample to another: some of the more sophisticated samples may use deep sample encryption<\/strong> that is lifted only in the runtime. Also, considering that the original detection comes from the heuristic engine, there are high chances that the samples use unique packing or rebuilding, which additionally enhances detection evasion.<\/p>\n

Execution<\/h3>\n

After performing all checks and gathering the necessary information, the malware establishes persistence in the system. It executes the following shell command:<\/p>\n

REG ADD \"HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\" \/v \"Support GFX\" \/t REG_SZ \/d \"%APPDATA%\\Xpers\\Gpers.exe\" \/f<\/code><\/p>\n

This command adds an entry into the current user’s autoloader section to run a specific program when the user logs in.<\/p>\n

Next, Fynloski connects to its Command and Control<\/a> (C2) server to transmit information to the attackers and receive further commands. The following addresses are used for this purpose:<\/p>\n

tcp:\/\/betclock.zapto.org:35000
\nUDP a83f:8110:0:0:4b8e:21:0:0:53
\nTCP 23.216.147.64:443
\nTCP 192.229.211.108:80
\nTCP 20.99.185.48:443<\/code><\/p>\n

How To Remove Behavior:Win32\/Fynloski.gen!A<\/h2>\n

To remove Behavior:Win32\/Fynloski.gen!A, I recommend using advanced anti-malware software. GridinSoft Anti-Malware is an excellent option as it can neutralize the threat even during the early attack stages. Download it, run a Full scan and remove all the threats that it has detected.<\/p>\n

\"Behavior:Win32\/Fynloski.gen!A\"<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Behavior:Win32\/Fynloski.gen!A is a heuristic detection of Microsoft Defender that flags activities of Fynloski malware. This malicious program allows attackers to control the infected system and install other malware remotely. Such malware usually spreads through email attachments and software from low-trust sources. Behavior:Win32\/Fynloski.gen!A Overview Behavior:Win32\/Fynloski.gen!A is a detection name used by Microsoft Defender to identify a […]<\/p>\n","protected":false},"author":7,"featured_media":22568,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_sitemap_exclude":false,"_sitemap_priority":"","_sitemap_frequency":"","footnotes":""},"categories":[17,4],"tags":[625,223],"class_list":{"0":"post-22559","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-labs","8":"category-tips-tricks","9":"tag-backdoor","10":"tag-windows-defender"},"featured_image_src":"https:\/\/gridinsoft.com\/blogs\/wp-content\/uploads\/2024\/06\/GS_Blog_banner_Behavior_Win32_Fynloski.genA_1280x674.webp","author_info":{"display_name":"Stephanie Adlam","author_link":"https:\/\/gridinsoft.com\/blogs\/author\/adlam\/"},"_links":{"self":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22559","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/comments?post=22559"}],"version-history":[{"count":11,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22559\/revisions"}],"predecessor-version":[{"id":22572,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/posts\/22559\/revisions\/22572"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media\/22568"}],"wp:attachment":[{"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/media?parent=22559"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/categories?post=22559"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gridinsoft.com\/blogs\/wp-json\/wp\/v2\/tags?post=22559"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}