W32/GenKryptik.BBOU!tr

Analysis

W32/GenKryptik.BBOU!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.BBOU!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
  
  • %AppData%\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\run.dat : where x is any alphanumeric character, this is a data file.
  • %AppData%\xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx\task.dat : where x is any alphanumeric character, this file is a text file containing the path filename of the original malware.
  • %AppData%\xxxxxx\xxxxxx.lck : where x is any alphanumeric character, this file is non-malicious.
  • %AppData%\xxxxxx\xxxxxx.exe : This file is detected as W32/GenKryptik.BBOU!tr.
  • %AppData%\remcos\logs.dat : This file is a none malicious text file.
  • %AppData%\remcos\remcos.exe : This file is a copy of the original malware itself.
  • %AppData%\subfolder\filename.exe : This file is detected as W32/GenKryptik.BBOU!tr.
  • %AppData%\subfolder\filename.scr : This file is detected as W32/GenKryptik.BBOU!tr..
  • %AppData%\subfolder\googlebrowser.exe : This file is detected as W32/GenKryptik.BBOU!tr.
  • %AppData%\xq@7g5%jgsh&(t(ghkz1\ztfgwyfqr.scr : This file is detected as W32/GenKryptik.BBOU!tr.
  • %AppData%\z@!f2h((er5h3!zi)0trk1((yj\nmi5rjly0q.scr : This file is detected as W32/GenKryptik.BBOU!tr.
  • %ProgramFiles%\agp service\agpsvc.exe : This file is a copy of the original malware itself.
  • %ProgramFiles%\pci manager\pcimgr.exe : This file is a copy of the original malware itself.
  • %ProgramFiles%\scsi service\scsisvc.exe : This file is a copy of the original malware itself.
  • %programfiles(x86)%\arp host\arphost.exe : This file is a copy of the original malware itself.
  • %programfiles(x86)%\pci service\pcisvc.exe : This file is a copy of the original malware itself.
  • %programfiles(x86)%\saas host\saashost.exe : This file is a copy of the original malware itself.
  • %StartUp%\filename.vbe : This file serves as an autostart for filename.vbe.
  • %StartUp%\googlebrowser.vbe : This file serves as an autostart for googlebrowser.vbe.
  • %StartUp%\nmi5rjly0q.vbe : This file serves as an autostart for nmi5rjly0q.vbe.
  • %StartUp%\ztfgwyfqr.vbe : This file serves as an autostart for ztfgwyfqr.vbe.
  • %Temp%\[Random].bat : This Batch file intends to delete the original malware itself .


• This malware may connect to any of the following remote sites(s):
  
  • ww{Removed}.abercrombie.net.co
  • 18{Removed}.165.162.201


• This malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Remcos = %AppData%\remcos\remcos.exe
    • Agp service = %ProgramFiles%\agp service\agpsvc.exe
    • Scsi service = %ProgramFiles%\scsi service\scsisvc.exe
    • Pci manager = %ProgramFiles%\pci manager\pcimgr.exe
    This automatically executes the dropped file every time the infected user logs on.
    


• Some instances of this malware also creates a scheduled tasks for the dropped malware itself.


• Some instances of this malware may have Botnet capabilities.


• Some instances of this malware may have Injector capabilities.


• The original copy of the malware is deleted after execution.

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.