W32/GenKryptik.AIIH!tr
Analysis
W32/GenKryptik.AIIH!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.AIIH!tr may have varying behaviour.
Below are examples of some of these behaviours:
- It drops the following files:
- undefinedUserProfileundefined\[Random].exe : This file is detected as W32/GenKryptik.AIIH!tr.
- undefinedAppDataundefined\pid.txt : This file is a non-malicious text file possibly indicating the process ID of the malware.
- undefinedAppDataundefined\pidloc.txt : This file is a non-malicious text file indicating the path filename of the original malware.
- undefinedAppDataundefined\subfolder\filename.bat : This file is detected as W32/GenKryptik.AIIH!tr.
- undefinedAppDataundefined\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs : This VBS file serves as an autostart for undefinedAppDataundefined\subfolder\filename.bat.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- MSConfig = undefinedUserProfileundefined\[Random].exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- It connects to the following remote site:
- myp0nysi{Removed}.ru
- This malware has been also observed to connect to some known email exchange servers:
- smtp.yandex.com
- microsoft.com
- yahoo.com
- google.com
- Some instances of this malware deletes itself after execution.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |