W32/GenKryptik.AIIH!tr

Analysis

W32/GenKryptik.AIIH!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.AIIH!tr may have varying behaviour.
Below are examples of some of these behaviours:

• It drops the following files:
  
  • undefinedUserProfileundefined\[Random].exe : This file is detected as W32/GenKryptik.AIIH!tr.
  • undefinedAppDataundefined\pid.txt : This file is a non-malicious text file possibly indicating the process ID of the malware.
  • undefinedAppDataundefined\pidloc.txt : This file is a non-malicious text file indicating the path filename of the original malware.
  • undefinedAppDataundefined\subfolder\filename.bat : This file is detected as W32/GenKryptik.AIIH!tr.
  • undefinedAppDataundefined\Microsoft\Windows\Start Menu\Programs\Startup\filename.vbs : This VBS file serves as an autostart for undefinedAppDataundefined\subfolder\filename.bat.


• The following registry modifications are applied:
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    
    • MSConfig = undefinedUserProfileundefined\[Random].exe
    This automatically executes the dropped file every time the infected user logs on.


• It connects to the following remote site:
• myp0nysi{Removed}.ru


• This malware has been also observed to connect to some known email exchange servers:
• smtp.yandex.com
• microsoft.com
• yahoo.com
• google.com


• Some instances of this malware deletes itself after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.