W32/Kryptik.AX!tr
Analysis
- This malware arrives as an email attachment and has a PDF file icon.
- Once executed, it attempts to connect to the following sites:
- http://big{Removed}lc.com:81/ponyb/gate.php
- http://3ec{Removed}y.com:8080/ponyb/gate.php
- http://24.coas{Removed}e.com/ponyb/gate.php
- http://24.coas{Removed}e.com/ponyb/gate.php
- It also attempts to download files from the following URLs:
- http://00002fl.rco{Removed}t.com/ziM4.exe
- http://dtwa{Removed}s.com/HSj.exe
- http://208.{Removed}.5/h1bXVj.exe
- http://pani{Removed}s.com/zuxG8.exe
- http://www.hyp{Removed}c.de/VE9N79S.exe
- The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.
- It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [Random Class ID] = ""%UserProfile%\[RandomFolderName]\[RandomName].exe""/li>
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- It also adds the following registry entry:
- HKEY_CURRENT_USER\Software\WinRAR
- HWID = [Random Hexadecimal Bytes]
- HKEY_CURRENT_USER\Software\WinRAR
- The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |