W32/Kryptik.EFAD!tr

description-logoAnalysis



  • It drops the following files:
    • undefinedAppDataundefined\[RandomFilename_1].exe: This file is detected as W32/Kryptik.EFAD!tr.
    • undefinedUserProfileundefined\Local Settings\Application Data\Microsoft\Windows\[RandomFilename_2].exe: This file is detected as W32/Androm.ECGZ!tr.bdr.

  • The following registry modifications are applied:
      • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
        • [RandomKey] = "undefinedUserProfileundefined\Local Settings\Application Data\Microsoft\Windows\[RandomFilename_2].exe"
        This automatically executes the dropped file every time the infected user logs on.

  • It injects codes into the explorer.exe process.


  • recommended-action-logoRecommended Action

    • Make sure that your FortiGate/FortiClient system is using the latest AV database.
    • Quarantine/delete files that are detected and replace infected files with clean backup copies.

    Telemetry logoTelemetry

    Detection Availability

    FortiGate
    FortiClient
    FortiAPS
    FortiAPU
    FortiMail
    FortiSandbox
    FortiWeb
    Web Application Firewall
    FortiIsolator
    FortiDeceptor
    FortiEDR

    Version Updates

    Date Version Detail
    2022-08-25 90.05404