Threat Encyclopedia

W32/Kryptik.AX!tr

Analysis

• This malware arrives as an email attachment and has a PDF file icon.


• Once executed, it attempts to connect to the following sites:
  
  • http://big{Removed}lc.com:81/ponyb/gate.php
  • http://3ec{Removed}y.com:8080/ponyb/gate.php
  • http://24.coas{Removed}e.com/ponyb/gate.php
  • http://24.coas{Removed}e.com/ponyb/gate.php


• It also attempts to download files from the following URLs:
  
  • http://00002fl.rco{Removed}t.com/ziM4.exe
  • http://dtwa{Removed}s.com/HSj.exe
  • http://208.{Removed}.5/h1bXVj.exe
  • http://pani{Removed}s.com/zuxG8.exe
  • http://www.hyp{Removed}c.de/VE9N79S.exe


• The malware creates a subfolder using a randomized name under the user's profile folder. The downloaded file is saved in this newly created folder using a randomized name. As of this writing, the file that was downloaded can be detected as W32/Kryptik.6F77!tr.


• It adds the following registry entry to automatically execute the downloaded file every time the infected user logs on:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
    • [Random Class ID] = ""undefinedUserProfileundefined\[RandomFolderName]\[RandomName].exe""/li>


• It also adds the following registry entry:
  
  • HKEY_CURRENT_USER\Software\WinRAR
    
    • HWID = [Random Hexadecimal Bytes]


• The malware performs a dictionary attack on several known FTP clients, file managers, mail clients, and browsers in attempt to access possibly confidential information.

Recommended Action

FortiGate Systems

• Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
  FortiClient Systems
  
• Quarantine/delete files that are detected and replace infected files with clean backup copies.