W32/Kryptik.AX!tr

description-logoAnalysis


  • This malware arrives as an email attachment and has a PDF file icon.

  • Once executed, it attempts to connect to the following sites:
    • http://big{Removed}lc.com:81/ponyb/gate.php
    • http://3ec{Removed}y.com:8080/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php
    • http://24.coas{Removed}e.com/ponyb/gate.php

  • It also attempts to download files from the following URLs:
    • http://00002fl.rco{Removed}t.com/ziM4.exe
    • http://dtwa{Removed}s.com/HSj.exe
    • http://208.{Removed}.5/h1bXVj.exe
    • http://pani{Removed}s.com/zuxG8.exe
    • http://www.hyp{Removed}c.de/VE9N79S.exe

  • The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.

  • It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • [Random Class ID] = ""undefinedUserProfileundefined\[RandomFolderName]\[RandomName].exe""/li>

  • It also adds the following registry entry:
    • HKEY_CURRENT_USER\Software\WinRAR
      • HWID = [Random Hexadecimal Bytes]

  • The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2024-02-17 92.01667
2024-02-08 92.01402
2024-02-07 92.01362
2024-01-22 92.00882
2024-01-17 92.00732
2024-01-10 92.00520
2024-01-08 92.00462
2023-12-25 92.00045
2023-12-25 92.00041
2023-12-11 91.09621