MSIL/Kryptik.OXV!tr
Analysis
MSIL/Kryptik.OXV!tr is a generic detection for a downloader/dropper trojan. Since this is a generic detection, malware that are detected as MSIL/Kryptik.OXV!tr may have varying behaviour.
Below are some of its observed characteristics/behaviours:
- This malware may drop any of the following file(s):
- %AppData%\{original filename}.exe: This is a copy of the malware.
- %UserProfile%\{original filename}.exe: This is a copy of the malware.
- %AppData%\System.exe: This is a copy of the malware.
- %ProgramFiles%\agp service\agpsvc.exe: This may be a copy of the malware or a legitimate Microsoft program, Regasm.exe.
- %Temp%\{8 random numbers and letters}.dll : This file may be detected as MSIL/Kryptik.NLA!tr.
- %Startup%\42f9bbbeb372df1642d8cb5491f7e711.exe: This is a copy of the malware that will run when the infected system starts up.
- %Startup%\{Random letters}.url: This file executes the malware when the infected system starts up.
- This malware may delete itself after executing.
- This malware may connect to any of the following websites:
- aso{Removed}.ddns.net
- che{Removed}.dyndns.org
- fut{Removed}.duckdns.org
- wcb{Removed}.duckdns.org
- dns{Removed}.publicvm.com
- hxxp://ip-{Removed}.com/json/
- 4{Removed}.246.7.5:3030: This IP address has been associated with the Bladabindi botnet in the past.
- This malware may change the firewall settings to allow itself through the firewall.
- This malware may apply any of the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- 42f9bbbeb372df1642d8cb5491f7e711 = %AppData%\System.exe
- AGP Service = %ProgramFiles%\agp service\agpsvc.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |
Version Updates
Date | Version | Detail |
---|---|---|
2019-04-23 | 68.01000 | Sig Updated |
2019-04-12 | 67.75300 | Sig Updated |
2019-04-09 | 67.67400 | Sig Updated |
2019-02-26 | 66.66900 | Sig Updated |
2019-02-12 | 66.33300 | Sig Updated |
2019-01-29 | 65.99600 | Sig Updated |
2018-11-20 | 64.31700 | Sig Updated |
2018-10-28 | 63.76500 | Sig Updated |
2018-09-26 | 62.48200 | Sig Updated |