W32/GenKryptik.BAPN!worm

Analysis

W32/GenKryptik.BAPN!worm is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.BAPN!worm may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
  
  • undefinedSystemRootundefined\M-XXXXXXXXXXXXXXXXXXXXXXXXXXXXX\winmgr.exe : where X is any numerical character, this file is a copy of the original malware itself.
  • undefinedTempundefined\[Random].bat : This file appears to be a text file only, possibly intended to delete the original malware itself.
  • undefinedAppDataundefined\winmgr.txt : This file is non-malicious text file.
  • undefinedInternet_Cacheundefined\mi.exe : This file is detected as W32/GenKryptik.BAPN!worm.
  • undefinedInternet_Cacheundefined\b20.exe : This file is detected as W32/GenKryptik.BAPN!worm.
  • undefinedTempundefined\[Random].exe : This file is detected as W32/GenKryptik.BAPN!worm.
  • undefinedTempundefined\[Random] : This file is detected as W32/GenKryptik.BAPN!worm.
  • undefinedAppDataundefined\wincfg.exe : This file is detected as W32/GenKryptik.BAPN!worm.


• This malware may connect to any of the following remote sites(s):
  
  • 22{Removed}.181.87.80
  • hxxp://14{Removed}.135.152.86/mi.exe
  • hxxp://ww{Removed}.murphysisters.org/images/mi.exe
  • hxxp://ww{Removed}.murphysisters.org/images/b20.exe


• This malware may have bitcoin mining component and executes an instance of itself with a parameter -o monerohash.com:3333 -u [EncryptedString] -p x -k --donate-level=1 -t 2 .


• This malware may also creates a Task Schedule for itself displayed as Adasdsadas3id and is expected to run every minute serving as auto prevalence.
  

  Figure 1: malware process.



• This malware may apply any of the following registry modification(s):
  
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
    
    • Microsoft windows manager = undefinedSystemRootundefined\M-XXXXXXXXXXXXXXXXXXXXXXXXXXXXX\winmgr.exewinmgr.exe
    This registry corresponds to an autostart pointed out by windows for every restart of the host machine.
    
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Microsoft windows manager = undefinedSystemRootundefined\M-XXXXXXXXXXXXXXXXXXXXXXXXXXXXX\winmgr.exe\winmgr.exe
    This automatically executes the dropped file every time the infected user logs on.
    


• This malware also may affect and intend to spread via external drive by dropping the following files:
  
  • autorun.inf
  • DeviceConfigManager.vbs
  • _\DeviceConfigManager.exe
  • .lnk


• The original copy of the malware may be deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.