W32/GenKryptik.ARPP!tr

Analysis

W32/GenKryptik.ARPP!tr is a generic detection for a trojan. Since this is a generic detection, malware that are detected as W32/GenKryptik.ARPP!tr may have varying behaviour.
Below are examples of some of these behaviours:

• This malware may drop any of the following file(s):
  
  • undefinedAllUsersProfileundefined\wssmdm\[Random].exe : This file is copy of the original malware itself.
  • undefinedTempundefined\[Random].bat : This file is detected as BAT/Small.NAN!tr.
  • undefinedStartUpundefined\receipt.vbs : This file will serve as an autostart for the original malware executed.
  • undefinedAppDataundefined\windowsprocess\windowssysy.exe : This file is a copy of the original malware itself.
  • undefinedStartUpundefined\windowsprocess.vbs : This file will serve as an autostart for the malware windowssysy.exe.


• It applies the following registry modification(s):
  
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\Currentversion\Run
    
    • Wssmdmsys = undefinedAllUsersProfileundefined\wssmdm\[Random].exe
    This automatically executes the dropped file every time the infected user logs on.
    


• This malware will create a scheduled tasks, using schtasks.exe, that will auto execute the dropped malware located in undefinedAllUsersProfileundefined\wssmdm\


• The original copy of the malware is deleted after execution.


• This malware attempts to connect to the following sites:
  
  • engrseltev{Removed}.com
  • 18{Removed}.208.211.14
  • hxxp://ushapowe{Removed}.com/two/sparkle/gate.php

Recommended Action

• Make sure that your FortiGate/FortiClient system is using the latest AV database.
• Quarantine/delete files that are detected and replace infected files with clean backup copies.