W32/Kryptik.AX!tr

description-logoAnalysis


  • This malware arrives as an email attachment and has a PDF file icon.

  • Once executed, it attempts to connect to the following sites:
    • http://big{Removed}lc.com:81/ponyb/gate.php
    • http://3ec{Removed}y.com:8080/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php

  • It also attempts to download files from the following URLs:
    • http://00002fl.rco{Removed}t.com/ziM4.exe
    • http://dtwa{Removed}s.com/HSj.exe
    • http://208.{Removed}.5/h1bXVj.exe
    • http://pani{Removed}s.com/zuxG8.exe
    • http://www.hyp{Removed}c.de/VE9N79S.exe

  • The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.

  • It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [Random Class ID] = ""%UserProfile%\[RandomFolderName]\[RandomName].exe""/li>

  • It also adds the following registry entry:
    • HKEY_CURRENT_USER\Software\WinRAR
      • HWID = [Random Hexadecimal Bytes]

  • The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-09-11 92.07234
2024-09-04 92.07065
2024-08-19 92.06683
2024-08-03 92.06289
2024-07-29 92.06189
2024-07-29 92.06182
2024-07-24 92.06060
2024-07-22 92.06008
2024-07-19 92.05946
2024-07-05 92.05595