W32/Krap.AE!tr
Analysis
This is a generic detection for a type of trojan downloader that uses a polymorphic custom packer.
Technical Details
- It registers itself to run at each Windows startup by one of the following methods:
- Creates a copy of itself to the undefinedSYSTEMundefined folder and modifies the following registry:
- key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- value: Userinit
- data: undefinedSYSTEMundefined\userinit.exe,undefinedSYSTEMundefined\[VirusCopy],
The filename of this dropped copy may vary. An example of the filename is sdra64.exe. - Renames the file undefinedSYSTEMundefined\userinit.exe to stu2.exe, then copies itself as undefinedSYSTEMundefined\userinit.exe.
- Creates a copy of itself to the undefinedSYSTEMundefined folder and modifies the following registry:
- It may delete itself from the current folder.
- It attempts to download malicious files from predefined URLs to the undefinedTEMPundefined folder, then executes them.
- It may create a new instance of the process undefinedSYSTEMundefined\svchost.exe and inject malicious downloader codes into it.
Recommended Action
- FortiGate Systems
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option.
FortiClient Systems
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiGate | |
---|---|
Extreme | |
FortiClient | |
Extended | |
FortiMail | |
Extended | |
FortiSandbox | |
Extended | |
FortiWeb | |
Extended | |
Web Application Firewall | |
Extended | |
FortiIsolator | |
Extended | |
FortiDeceptor | |
Extended | |
FortiEDR |