virus logo Virus

W32/Kryptik.CF!tr

description-logoAnalysis


 W32/Kryptik.CF!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Kryptik.CF!tr may have varying behavior.
Below are examples of some of these behavior:

  • Upon execution, it downloads files and saves it as the following:
    • undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe : This file is currently detected as W32/Zbot.RJAJ!tr.
    • undefinedTempundefined\budha.exe : This file is also currently detected as W32/Kryptik.CF!tr.

  • The following registry modifications are applied:
    • HKEY_CURRENT_USER\Identities\{B760DF06-17DA-4F83-A5AF-FD791B824F91}
      • Identity Ordinal = 00000001

    • HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
      This registry entry contains several hexadecimal values which are the malware's encrypted data.

    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
      • Epvuan = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
      This registry entry automatically executes the downloaded malware every time the infected user logs on.

  • During execution, it has been observed to connect to the following remote site:
    • 77.11{Removed}.dhcp.mct.ne.jp:3053
    • 46.4{Removed}:22868
    • vc{Removed}.1e100.net:http
    • 89.21{Removed}:8310
    • host-94-{Removed}.dynamic.mm.pl:9386
    • c2f{Removed}.fsp.oleane.fr:8439
    • foo{Removed}.pk
    • zenti{Removed}.co.uk
    • ne{Removed}.enixns.com

  • This malware disguises itself by using the Adobe PDF icon or the music Wav file icon.

  • This malware injects its codes into Windows Explorer.

recommended-action-logoRecommended Action

    FortiGate Systems
  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
    FortiClient Systems
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-07-25 91.05424
2023-06-02 91.03822
2022-12-28 90.09140
2022-05-31 90.02802
2021-11-23 89.07133
2021-09-08 88.00971
2021-05-19 86.00293
2021-02-23 84.00249
2020-12-14 82.54500 Sig Updated
2020-11-18 81.91500 Sig Updated
ID 6037840
Released Jan 21, 2014
Description
Updated		 Feb 04, 2014
Aliases Trojan-Spy.Win32.Zbot.rjaj, Troj/Zbot-HNH, Win32/Spy.Zbot.AAU trojan, PSW.Generic12.ZEI, W32/Zbot.RJAJ!tr, Trojan-Downloader.Win32.Agent.hdyg, PWSZbot-FQJ!09C1E0F0BC56 trojan,Troj/DwnLdr-LIG,Win32/TrojanDownloader.Waski.B trojan,Zbot.FDO, TROJ_UPATRE.ML,Tr
Platform Profile Win32 file format / PE 32 bit