W32/GenKryptik.ARNZ!tr
Analysis
W32/GenKryptik.ARNZ!tr is a generic detection for an Injector trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.ARNZ!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- %ProgramData%\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\[Random].exe : where x is any hexadecimal character, this file is detected as W32/GenKryptik.ARNZ!tr.
- %AppData%\[Random]\[Random].exe : This file is a copy of the original malware itself.
- %Temp%\dd.te : This is a zero byte file.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- [Random] = %AppData%\[Random]\[Random].exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
- DisableAntiSpyware = 1
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- This malware has been also observed to attempt connection to vajnwb{Removed}.com, however during the time of our tests the site has been offlined.
- Some instances of this malware may cause to spawn an svchost.exe.
- Some instances of this malware may have Injector capabilities.
- This malware can also spread through external drives, by attemptting to drop a copy of itself within a subfolder set with hidden attributes, using the format:
{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.exe, where x is any hexadecimal character.
Several .LNK files will also be dropped using the very same filename of folders located within the extenal drive.
The .lnk files points to the actual dropped file within the subfolder mentioned earlier.
During the time of our tests the file dropped within the subfolder however was a zero byte file, possibly due to a bug.
Below is an illustration:
- Figure 1: External Drive infection.
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
FortiClient | |
FortiAPS | |
FortiAPU | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |