MSIL/Kryptik.MNQ!tr
Analysis
MSIL/Kryptik.MNQ!tr is a generic detection for a Trojan. Since this is a generic detection, this malware may have varying behaviour.
Below are some of the observed characteristics/behaviours:
- This trojan may be a Keylogger.
- This malware may utilize dynamic DNS services. Some of the observed domains include:
- rsaupda{Removed}.jumpingcrab.com
- rsau{Removed}.ntdll.net
- rsapoin{Removed}.ssl443.org
- c0pywi{Removed}.is-not-certified.com
- wins10{Removed}.16-b.it
- check{Removed}.dyndns.org
- in{Removed}.freeddns.org
- This malware may drop one or more of the following files:
- %AppData%\[RandomName_1].exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
- %Temp%\[RandomName_2]\[RandomName_2].exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
- %Temp%\[RandomName_3].vsc\[RandomName_3].vsc.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
- %UserProfile%\Pictures\operabrowser.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
- %AppData%\Windows Defender\GoogleChrome.exe - a version of itself detected as MSIL/Kryptik.MNQ!tr
- %AppData%\Imminient\Logs\[DD-MM-YYYY] - An encrypted data file
- %AppData%\Imminient\Logs\Path.dat - An encrypted data file
- %AppData%\Imminient\Monitoring\Network.dat - An encrypted data file
- %AppData%\Imminient\Monitoring\system.dat - An encrypted data file
- This malware may add one or more of the following registry entries:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomString]
- %AppData%\[RandomName_1].exe
- HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application
- %UserProfile%\Pictures\operabrowser.exe -boot
- HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomName_2]
- %Temp%\[RandomName_2]\[RandomName_2].exe
- HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[RandomName_3]
- %Temp%\[RandomName_3].vsc\[RandomName_3].vsc.exe
- HKEY_USERS\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Defender\
- %AppData%\Windows Defender\GoogleChrome.exe
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |