MSIL/Kryptik.OXV!tr

Analysis

MSIL/Kryptik.OXV!tr is a generic detection for a downloader/dropper trojan. Since this is a generic detection, malware that are detected as MSIL/Kryptik.OXV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:

• This malware may drop any of the following file(s):
  
  • %AppData%\{original filename}.exe: This is a copy of the malware.
  • %UserProfile%\{original filename}.exe: This is a copy of the malware.
  • %AppData%\System.exe: This is a copy of the malware.
  • %ProgramFiles%\agp service\agpsvc.exe: This may be a copy of the malware or a legitimate Microsoft program, Regasm.exe.
  • %Temp%\{8 random numbers and letters}.dll : This file may be detected as MSIL/Kryptik.NLA!tr.
  • %Startup%\42f9bbbeb372df1642d8cb5491f7e711.exe: This is a copy of the malware that will run when the infected system starts up.
  • %Startup%\{Random letters}.url: This file executes the malware when the infected system starts up.


• This malware may delete itself after executing.


• This malware may connect to any of the following websites:
  
  • aso{Removed}.ddns.net
  • che{Removed}.dyndns.org
  • fut{Removed}.duckdns.org
  • wcb{Removed}.duckdns.org
  • dns{Removed}.publicvm.com
  • hxxp://ip-{Removed}.com/json/
  • 4{Removed}.246.7.5:3030: This IP address has been associated with the Bladabindi botnet in the past.


• This malware may change the firewall settings to allow itself through the firewall.


• This malware may apply any of the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • 42f9bbbeb372df1642d8cb5491f7e711 = %AppData%\System.exe
    • AGP Service = %ProgramFiles%\agp service\agpsvc.exe
    This automatically executes the dropped file every time the infected user logs on.
    

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.