Threat Encyclopedia

W32/Kryptik.AX!tr

description-logoAnalysis


  • This malware arrives as an email attachment and has a PDF file icon.

  • Once executed, it attempts to connect to the following sites:
    • http://big{Removed}lc.com:81/ponyb/gate.php
    • http://3ec{Removed}y.com:8080/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php

  • It also attempts to download files from the following URLs:
    • http://00002fl.rco{Removed}t.com/ziM4.exe
    • http://dtwa{Removed}s.com/HSj.exe
    • http://208.{Removed}.5/h1bXVj.exe
    • http://pani{Removed}s.com/zuxG8.exe
    • http://www.hyp{Removed}c.de/VE9N79S.exe

  • The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.

  • It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [Random Class ID] = ""undefinedUserProfileundefined\[RandomFolderName]\[RandomName].exe""/li>

  • It also adds the following registry entry:
    • HKEY_CURRENT_USER\Software\WinRAR
      • HWID = [Random Hexadecimal Bytes]

  • The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.