Analysis
MSIL/Kryptik.MLK!tr is a generic detection for a type of trojan. Since this is a generic detection, files that are detected as MSIL/Kryptik.MLK!tr may have varying behavior.
Below are examples of some of these behavior:
- It drops the following files:
- %startup%\mscdcu.exe : This file is a copy of the original malware itself.
- The following suspicious registry key(s) have been added to cause the program to be run each time a user logs on:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
- windows defender = %startup%\mscdcu.exe -boot
This automatically executes the dropped file every time the infected user logs on.
- This malware was also observed to attempt network connection to:
- mlhdns.pandabearsun{removed}.xyz