W32/Kryptik.CF!tr
Analysis
W32/Kryptik.CF!tr is a generic detection for a type of trojan that drops other malware onto the compromised computer. Since this is a generic detection, files that are detected as W32/Kryptik.CF!tr may have varying behavior.
Below are examples of some of these behavior:
- Upon execution, it downloads files and saves it as the following:
- undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe : This file is currently detected as W32/Zbot.RJAJ!tr.
- undefinedTempundefined\budha.exe : This file is also currently detected as W32/Kryptik.CF!tr.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Identities\{B760DF06-17DA-4F83-A5AF-FD791B824F91}
- Identity Ordinal = 00000001
- HKEY_CURRENT_USER\Software\Microsoft\[RandomRegistryName]
This registry entry contains several hexadecimal values which are the malware's encrypted data. - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- Epvuan = ""undefinedAppDataundefined\[RandomFolderName]\[RandomFileName].exe""
- HKEY_CURRENT_USER\Identities\{B760DF06-17DA-4F83-A5AF-FD791B824F91}
- During execution, it has been observed to connect to the following remote site:
- 77.11{Removed}.dhcp.mct.ne.jp:3053
- 46.4{Removed}:22868
- vc{Removed}.1e100.net:http
- 89.21{Removed}:8310
- host-94-{Removed}.dynamic.mm.pl:9386
- c2f{Removed}.fsp.oleane.fr:8439
- foo{Removed}.pk
- zenti{Removed}.co.uk
- ne{Removed}.enixns.com
- This malware disguises itself by using the Adobe PDF icon or the music Wav file icon.
- This malware injects its codes into Windows Explorer.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |