W32/Kryptik.AGAJ!tr
Analysis
- Upon execution, it drops the following file:
- undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe : This file is also detected as W32/Kryptik.AGAJ!tr.
- This malware applies a randomly named registry entry under HKEY_CURRENT_USER\Software\Microsoft\. The following are examples:
- HKEY_CURRENT_USER\Software\Microsoft\Osuhy
- b664i6a = "7dtTIcruVc0SgbDr6C8="
- f226c0c = "213ddbd5"
- 1h3ehh3c = "3oo9If6DZM0igdHr"
- HKEY_CURRENT_USER\Software\Microsoft\Osuhy
- This malware also creates an autorun registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run that uses a random ClassID-like string for the registry value, such as the following:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- {02EF6AC7-11ED-AD7A-7F48-B13A4CD79228} = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- This malware has botnet-like characteristics and can download updates or other components by connecting to certain websites such as the following:
- www.celtic-wh{Removed}.eu
- mail.yakl{Removed}.com
- ftp.chri{Removed}.net
- 116.12{Removed}.195
- exqui{Removed}.net
- mim{Removed}.az
- The downloaded files may be dropped into the Temporary folder. At the time of this writing, the downloaded files can also be detected as W32/Kryptik.AGAJ!tr.
- This malware has also been observed to send POST data to viewtopic.php in these URLs.
- It may arrive as a Zip archive attachment inside a spammed email such as the following:
- Spammed email.
- It disguises itself by using various known document icons such Adobe PDF, Access database, and TextPad icon.
- It injects codes into Windows Explorer.
- It also deletes itself after initial execution.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |