W32/Kryptik.AX!tr

description-logoAnalysis


  • This malware arrives as an email attachment and has a PDF file icon.

  • Once executed, it attempts to connect to the following sites:
    • http://big{Removed}lc.com:81/ponyb/gate.php
    • http://3ec{Removed}y.com:8080/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php

  • It also attempts to download files from the following URLs:
    • http://00002fl.rco{Removed}t.com/ziM4.exe
    • http://dtwa{Removed}s.com/HSj.exe
    • http://208.{Removed}.5/h1bXVj.exe
    • http://pani{Removed}s.com/zuxG8.exe
    • http://www.hyp{Removed}c.de/VE9N79S.exe

  • The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.

  • It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [Random Class ID] = ""undefinedUserProfileundefined\[RandomFolderName]\[RandomName].exe""/li>

  • It also adds the following registry entry:
    • HKEY_CURRENT_USER\Software\WinRAR
      • HWID = [Random Hexadecimal Bytes]

  • The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-05-16 92.04340
2024-05-12 92.04206
2024-05-10 92.04141
2024-04-29 92.03817
2024-04-24 92.03683
2024-04-24 92.03673
2024-04-08 92.03200
2024-04-08 92.03197
2024-04-08 92.03195
2024-04-08 92.03193