W64/Kryptik.BRD!tr

description-logoAnalysis

W64/Kryptik.BRD!tr is a generic detection for a trojan that uses DLL hijacking to spread and maintain persistance. To aid in persistance it also injects code into explorer.exe.
Below are some of its observed characteristics/behaviours:

  • Automatically executes a copy of itself at startup by using a shortcut placed in the startup folder to execute a victim exe which will be DLL hijacked.
  • Injects code into explorer.exe's running memory that causes a victim exe to be continually placed and DLL hijacked. Attempts to delete the DLL hijacker will be replaced with a new copy due to this injected code.
  • This malware may drop any of the following file(s):
    • A .exe file choosed randomly from system32 and saved under AppData\Roaming\RANDOM\, where italic strings are replaced with random characters. This file becomes the victim of the DLL hijacking.
    • A .dll file that corresponds to a DLL loaded by the DLL hijacked victim above, again usually found in system32 and saved under AppData\Roaming\RANDOM\, where italic strings are replaced with random characters. Detected as W64/Kryptik.BRD!tr this file is a modified copy of the dll found in system32 that contains malicious code to DLL hijack.
    • A shortcut file under start Menu\Programs\Startup called "RANDOM".lnk, where italic strings are replaced with random characters. This targets the victim exe found in AppData\Roaming\RANDOM\ and causes DLL hijacking to occur upon login for persistence.

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
Extended
FortiClient
Extreme
FortiAPS
FortiAPU
FortiMail
Extreme
FortiSandbox
Extreme
FortiWeb
Extreme
Web Application Firewall
Extreme
FortiIsolator
Extreme
FortiDeceptor
Extreme
FortiEDR

Version Updates

Date Version Detail
2020-09-22 80.56100 Sig Updated
2020-07-14 78.88000 Sig Updated
2020-04-21 76.87400 Sig Updated
2020-04-21 76.87100 Sig Updated
2020-04-21 76.86800 Sig Updated
2019-12-09 73.67200 Sig Updated
2019-12-02 73.50300 Sig Updated
2019-11-26 73.35800 Sig Updated
2019-11-25 73.33700 Sig Updated
2019-11-07 72.89200 Sig Updated