virus logo Virus

W32/Kryptik.AGAJ!tr

description-logoAnalysis


  • Upon execution, it drops the following file:
    • undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe : This file is also detected as W32/Kryptik.AGAJ!tr.

  • This malware applies a randomly named registry entry under HKEY_CURRENT_USER\Software\Microsoft\. The following are examples:
    • HKEY_CURRENT_USER\Software\Microsoft\Osuhy
      • b664i6a = "7dtTIcruVc0SgbDr6C8="
      • f226c0c = "213ddbd5"
      • 1h3ehh3c = "3oo9If6DZM0igdHr"

  • This malware also creates an autorun registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that uses a random ClassID-like string for the registry value, such as the following:
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • {02EF6AC7-11ED-AD7A-7F48-B13A4CD79228} = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""

  • This malware has botnet-like characteristics and can download updates or other components by connecting to certain websites such as the following:
    • www.celtic-wh{Removed}.eu
    • mail.yakl{Removed}.com
    • ftp.chri{Removed}.net
    • 116.12{Removed}.195
    • exqui{Removed}.net
    • mim{Removed}.az

  • The downloaded files may be dropped into the Temporary folder. At the time of this writing, the downloaded files can also be detected as W32/Kryptik.AGAJ!tr.

  • This malware has also been observed to send POST data to viewtopic.php in these URLs.

  • It may arrive as a Zip archive attachment inside a spammed email such as the following:

    • Spammed email.

  • It disguises itself by using various known document icons such Adobe PDF, Access database, and TextPad icon.

  • It injects codes into Windows Explorer.

  • It also deletes itself after initial execution.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2021-02-09 83.91300 Sig Updated
2020-03-08 75.81000 Sig Updated
2019-05-03 68.25100 Sig Updated
2019-05-03 68.25000 Sig Updated
2019-04-12 67.75300 Sig Updated
ID 4895869
Released Apr 22, 2013
Description
Updated		 Jun 07, 2013
Aliases Backdoor.Win32.Hlux.aacm, Trojan-Spy.Win32.Zbot.ldzh, TROJ_FAKEAV.SMER, Trj/FraudPack.A, Trojan.PWS.Panda.3734
Platform Profile Win32 file format / PE 32 bit