MSIL/Kryptik.MVB!tr
Analysis
MSIL/Kryptik.MVB!tr is a generic detection for a downlaoder Trojan. Since this is a generic detection, this malware may have varying behaviour.
Some of the MSIL/Kryptik.MVB!tr samples link to the Fareit (aka Pony) malware.
Below are some of the observed characteristics/behaviours:
- This malware has been observed to attempt connection to:
- http://juanjoserif{Removed}.com
- http://sariraatjga{Removed}.com
- Once connected, the malware may attempt to downlaod the following files:
- http://juanjoserif{Removed}.com/cgi-sys/suspendedpage.cgi
- http://juanjoserif{Removed}.com/pc/Doc.049173001517294468.jar
- http://sariraatjga{Removed}.com/dew/fre.php
- This malware may drop one or more of the following files:
- %Temp%\Name of the melted file.exe : a copy of the original file
- %AppData%\Microsoft\Windows\Start Menu\Programs\[RandomName_1].exe : a copy of the original file
- %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\[RandomName_1].[RandomName_2].lnk : a link file that directs to the previous dropped file and runs it on every start up
- This malware may delete the original copy after execution
- This trojan may be a Keylogger.
- This trojan may excercise Anti-Virtual Machine techniques .
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extended | |
FortiClient | |
FortiMail | |
FortiSandbox | |
FortiWeb | |
Web Application Firewall | |
FortiIsolator | |
FortiDeceptor | |
FortiEDR |