W32/Krap.A!tr
Analysis
W32/Krap.A!tr is a generic detection for a type of trojan that uses a polymorphic custom packer. Since this is a generic detection, malware that are detected as W32/Krap.A!tr may have varying behavior.
Below are examples of some of these behavior:
- The following are some of the files that have been known to be dropped by this malware:
- undefinedUserProfileundefined\Start Menu\Programs\Startup\lsass.exe : detected as W32/Krap.A!tr.
- undefinedAppDataundefined\lsass.exe : detected as W32/Krap.A!tr.
- C:\RECYCLER\S-1-5-21-{SID}\Dc1.vin : detected as W32/Krap.A!tr.
- C:\RECYCLER\S-1-5-21-{SID}\Dc2.vin : detected as W32/Krap.A!tr.
- C:\RECYCLER\S-1-5-21-{SID}\Dc3.vin : detected as W32/Krap.A!tr.
- C:\RECYCLER\S-1-5-21-{SID}\desktop.ini : non-malicious INI file.
- C:\RECYCLER\S-1-5-21-{SID}\INFO2 : non-malicious data file.
- C:\syscheckrt\config.bin : detected as Data/SpyeyeCon.fam.
- C:\syscheckrt\syscheckrt.exe : detected as W32/Krap.A!tr.
- C:\diskheckrt\diskheckrt.exe : detected as W32/Krap.A!tr.
- C:\spoolerlogs\spooler.xml : non-malicious empty file.
- Some variants of this malware also spawn a hidden Internet Explorer process which attempts to connect to remote sites, such as the following:
- dfw06s32-in-f1{Removed}0.net:http
- li45-23{Removed}de.com:https
- dfw06s32-in-f9{Removed}0.net:http
- por{Removed}s.com DNS query
- pro{Removed}s.com DNS query
- stro{Removed}s.com DNS query
- soi{Removed}s.com DNS query
- saf{Removed}l.com DNS query
- you{Removed}t.com DNS query
- Another variant of this malware deletes itself and may cause the affected system to reboot.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |