W32/GenKryptik.ARNZ!tr

description-logoAnalysis



W32/GenKryptik.ARNZ!tr is a generic detection for an Injector trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.ARNZ!tr may have varying behaviour.
Below are examples of some of these behaviours:

  • This malware may drop any of the following file(s):
    • %ProgramData%\{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\[Random].exe : where x is any hexadecimal character, this file is detected as W32/GenKryptik.ARNZ!tr.
    • %AppData%\[Random]\[Random].exe : This file is a copy of the original malware itself.
    • %Temp%\dd.te : This is a zero byte file.

  • This malware may apply any of the following registry modification(s):
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
      • [Random] = %AppData%\[Random]\[Random].exe
      This automatically executes the dropped file every time the infected user logs on.
    • HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
      • DisableAntiSpyware = 1
      This registry affects the settings for the Windows built AV.

  • This malware has been also observed to attempt connection to vajnwb{Removed}.com, however during the time of our tests the site has been offlined.

  • Some instances of this malware may cause to spawn an svchost.exe.

  • Some instances of this malware may have Injector capabilities.

  • This malware can also spread through external drives, by attemptting to drop a copy of itself within a subfolder set with hidden attributes, using the format: {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx.exe, where x is any hexadecimal character. Several .LNK files will also be dropped using the very same filename of folders located within the extenal drive. The .lnk files points to the actual dropped file within the subfolder mentioned earlier. During the time of our tests the file dropped within the subfolder however was a zero byte file, possibly due to a bug. Below is an illustration:

    • Figure 1: External Drive infection.




recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2022-08-25 90.05404
2022-05-25 90.02622
2022-05-12 90.02235
2022-05-12 90.02230
2020-08-11 79.55200 Sig Updated
2020-02-26 75.55000 Sig Updated
2020-02-13 75.24500 Sig Updated
2020-01-02 74.24900 Sig Updated