W32/GenKryptik.ARPP!tr
Analysis
W32/GenKryptik.ARPP!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.ARPP!tr may have varying behaviour.
Below are examples of some of these behaviours:
- This malware may drop any of the following file(s):
- undefinedAllUsersProfileundefined\wssmdm\[Random].exe : This file is copy of the original malware itself.
- undefinedTempundefined\[Random].bat : This file is detected as BAT/Small.NAN!tr.
- undefinedStartUpundefined\receipt.vbs : This file will serve as an autostart for the original malware executed.
- undefinedAppDataundefined\windowsprocess\windowssysy.exe : This file is a copy of the original malware itself.
- undefinedStartUpundefined\windowsprocess.vbs : This file will serve as an autostart for the malware windowssysy.exe.
- It applies the following registry modification(s):
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- Wssmdmsys = undefinedAllUsersProfileundefined\wssmdm\[Random].exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
- This malware will create a scheduled tasks, using schtasks.exe, that will auto execute the dropped malware located in undefinedAllUsersProfileundefined\wssmdm\
- The original copy of the malware is deleted after execution.
- This malware attempts to connect to the following sites:
- engrseltev{Removed}.com
- 18{Removed}.208.211.14
- hxxp://ushapowe{Removed}.com/two/sparkle/gate.php
Recommended Action
- Make sure that your FortiGate/FortiClient system is using the latest AV database.
- Quarantine/delete files that are detected and replace infected files with clean backup copies.
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |