VirusJava/Kryptik.FP!tr
Analysis
Java/Kryptik.FP!tr is a generic detection for a Java rojan that intends to disable/lower the security settings of the affected hosts.
Below are examples of some of its behaviours:
- This malware drops the following files:
- undefinedLocalAppDataundefined\Temp\Windows[Random].dll : This file is detected as W32/Agent.BDAF!tr.
- undefinedLocalAppDataundefined\Temp\0.[Random].class : This file is detected as Java/Adwind.AAU!tr.
- undefinedLocalAppDataundefined\Temp\[Random].reg : This file is detected as REG/Small.G!tr, to which the contents will be applied on the affected hosts.
- undefinedCurrentUserundefined\[Random]\[Random].[Random] : This file is detected as Java/Kryptik.FP!tr.
- undefinedCurrentUserundefined\[Random]\ID.txt : This file is a none malicious text file.
- The following registry modifications are applied:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- [Random] = undefinedAppDataundefined\Roaming\Oracle\bin\javaw.exe -jar [Original Malware Executed]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
- DisableTaskMgr = 00000002
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation = 00000001
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes = ".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment
- SEE_MASK_NOZONECHECKS = "1"
- HKEY_CURRENT_USER\Environment
- SEE_MASK_NOZONECHECKS = "1"
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- DisableConfig = ""00000001
- DisableSR = ""00000001
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- PromptOnSecureDesktop = ""00000000
- ConsentPromptBehaviorAdmin = 00000000
- ConsentPromptBehaviorUser = 00000000
- EnableLUA = 00000000
When this registry is set to value 0, it causes the system to turn off UAC (User Access/Account Control).
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- This malware also modifies the following registry entry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[ApplicationFileName]
- debugger = "svchost.exe"
The applications being affected by this registry are mostly tools related to security management. The names referred to in [ApplicationFileName] are as follows:
- acs.exe
- AdAwareDesktop.exe
- AdAwareService.exe
- AdAwareTray.exe
- AgentSvc.exe
- AVK.exe
- AVKProxy.exe
- AVKService.exe
- AVKTray.exe
- AVKWCtlx64.exe
- avpmapp.exe
- av_task.exe
- Bav.exe
- bavhm.exe
- BavSvc.exe
- BavTray.exe
- BavUpdater.exe
- BavWebClient.exe
- BDSSVC.EXE
- BgScan.exe
- BullGuard.exe
- BullGuardBhvScanner.exe
- BullGuardUpdate.exe
- BullGuarScanner.exe
- capinfos.exe
- cavwp.exe
- CertReg.exe
- cis.exe
- CisTray.exe
- clamscan.exe
- ClamTray.exe
- ClamWin.exe
- cmdagent.exe
- ConfigSecurityPolicy.exe
- CONSCTLX.EXE
- coreFrameworkHost.exe
- coreServiceShell.exe
- dragon_updater.exe
- dumpcap.exe
- econceal.exe
- econser.exe
- editcap.exe
- EMLPROXY.EXE
- escanmon.exe
- escanpro.exe
- fcappdb.exe
- FCDBlog.exe
- FCHelper64.exe
- FilMsg.exe
- FilUp.exe
- filwscc.exe
- fmon.exe
- FortiClient.exe
- FortiClient_Diagnostic_Tool.exe
- FortiESNAC.exe
- FortiFW.exe
- FortiProxy.exe
- FortiSSLVPNdaemon.exe
- FortiTray.exe
- FPAVServer.exe
- FProtTray.exe
- FPWin.exe
- freshclam.exe
- freshclamwrap.exe
- fsgk32.exe
- FSHDLL64.exe
- fshoster32.exe
- FSM32.EXE
- FSMA32.EXE
- fsorsp.exe
- fssm32.exe
- GdBgInx64.exe
- GDKBFltExe32.exe
- GDSC.exe
- GDScan.exe
- guardxkickoff_x64.exe
- guardxservice.exe
- iptray.exe
- K7AVScan.exe
- K7CrvSvc.exe
- K7EmlPxy.EXE
- K7FWSrvc.exe
- K7PSSrvc.exe
- K7RTScan.exe
- K7SysMon.Exe
- K7TSecurity.exe
- K7TSMain.exe
- K7TSMngr.exe
- LittleHook.exe
- mbam.exe
- mbamscheduler.exe
- mbamservice.exe
- Uninstall.exe
- MCShieldCCC.exe
- MCShieldDS.exe
- MCShieldRTM.exe
- mergecap.exe
- MpCmdRun.exe
- MpUXSrv.exe
- MSASCui.exe
- MsMpEng.exe
- MWAGENT.EXE
- MWASER.EXE
- nanoav.exe
- nanosvc.exe
- nbrowser.exe
- nfservice.exe
- NisSrv.exe
- njeeves2.exe
- nnf.exe
- nprosec.exe
- NS.exe
- nseupdatesvc.exe
- nvcod.exe
- nvcsvc.exe
- nvoy.exe
- nwscmon.exe
- ONLINENT.EXE
- OPSSVC.EXE
- op_mon.exe
- ProcessHacker.exe
- procexp.exe
- PSANHost.exe
- PSUAMain.exe
- PSUAService.exe
- psview.exe
- PtSessionAgent.exe
- PtSvcHost.exe
- PtWatchDog.exe
- quamgr.exe
- QUHLPSVC.EXE
- rawshark.exe
- SAPISSVC.EXE
- SASCore64.exe
- SASTask.exe
- SBAMSvc.exe
- SBAMTray.exe
- SBPIMSvc.exe
- SCANNER.EXE
- SCANWSCS.EXE
- schmgr.exe
- scproxysrv.exe
- ScSecSvc.exe
- SDFSSvc.exe
- SDScan.exe
- SDTray.exe
- SDWelcome.exe
- SSUpdate64.exe
- SUPERAntiSpyware.exe
- SUPERDelete.exe
- Taskmgr.exe
- text2pcap.exe
- TRAYICOS.EXE
- TRAYSSER.EXE
- trigger.exe
- tshark.exe
- twsscan.exe
- twssrv.exe
- uiSeAgnt.exe
- uiUpdateTray.exe
- uiWatchDog.exe
- uiWinMgr.exe
- UnThreat.exe
- UserAccountControlSettings.exe
- UserReg.exe
- utsvc.exe
- V3Main.exe
- V3Medic.exe
- V3Proxy.exe
- V3SP.exe
- V3Svc.exe
- V3Up.exe
- VIEWTCP.EXE
- VIPREUI.exe
- virusutilities.exe
- WebCompanion.exe
- wireshark.exe
- Zanda.exe
- Zlh.exe
- zlhh.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\[ApplicationFileName]
- A few instances of this malware were observed to display a message.
- Figure 1: Message Prompt.
- Some instances of this malware are also capable of dropping a Visual Basic Script (VBS) component and executing it.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |