Author: Eleazar Valles   
 

W64/GenKryptik.FVXY!tr (FORTINET)

 PLATFORM:

Windows

 OVER ALL RISK RATING:
 DAMAGE POTENTIAL::
 DISTRIBUTION POTENTIAL::
 REPORTED INFECTION:
 INFORMATION EXPOSURE:
Low
Medium
High
Critical

  • Threat Type:
    Trojan Spy

  • Destructiveness:
    No

  • Encrypted:
     

  • In the wild::
    Yes

  OVERVIEW

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

  TECHNICAL DETAILS

File size: 530,432 bytes
File type: DLL
Memory resident: Yes
INITIAL SAMPLES RECEIVED DATE: 13 czerwca 2022

Detalles de entrada

It arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Instalación

Agrega las carpetas siguientes:

  • %System%\{random}
  • %AppDataLocal%\{random}

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

)

Infiltra y ejecuta los archivos siguientes:

  • %System%\{random}\{random characters}.{3 random characters}
  • %AppDataLocal%\{random}\{random characters}.{3 random characters}

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

)

Agrega los procesos siguientes:

  • %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"
  • %System%\regsvr32.exe "%AppDataLocal%\{random}\{random characters}.{3 random characters}"

(Nota: %System% es la carpeta del sistema de Windows, que en el caso de Windows 98 y ME suele estar en C:\Windows\System, en el caso de Windows NT y 2000 en C:\WINNT\System32 y en el caso de Windows 2000(32-bit), XP, Server 2003(32-bit), Vista, 7, 8, 8.1, 2008(64-bit), 2012(64bit) y 10(64-bit) en C:\Windows\System32).

)

Otras modificaciones del sistema

Agrega las siguientes entradas de registro:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
services\{File name of dropped file}
ImagePath = %System%\regsvr32.exe "%System%\{random}\{random characters}.{3 random characters}"

Otros detalles

It connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.196.132:443
  • http://{BLOCKED}.{BLOCKED}.73.194:443
  • http://{BLOCKED}.{BLOCKED}.16.18:443
  • http://{BLOCKED}.{BLOCKED}.252.195:443
  • http://{BLOCKED}.{BLOCKED}.202.34:443
  • http://{BLOCKED}.{BLOCKED}.232.124:443
  • http://{BLOCKED}.{BLOCKED}.131.28:8080
  • http://{BLOCKED}.{BLOCKED}.227.76:8080
  • http://{BLOCKED}.{BLOCKED}.196.120:8080
  • http://{BLOCKED}.{BLOCKED}.163.214:443
  • http://{BLOCKED}.{BLOCKED}.112.196:8080
  • http://{BLOCKED}.{BLOCKED}.98.99:8080
  • http://{BLOCKED}.{BLOCKED}.28.102:8080
  • http://{BLOCKED}.{BLOCKED}.146.25:7080
  • http://{BLOCKED}.{BLOCKED}.240.217:443
  • http://{BLOCKED}.{BLOCKED}.99.3:8080
  • http://{BLOCKED}.{BLOCKED}.109.124:443
  • http://{BLOCKED}.{BLOCKED}.201.15:8080
  • http://{BLOCKED}.{BLOCKED}.124.41:7080
  • http://{BLOCKED}.{BLOCKED}.76.89:8080
  • http://{BLOCKED}.{BLOCKED}.8.30:8080
  • http://{BLOCKED}.{BLOCKED}.21.224:8080
  • http://{BLOCKED}.{BLOCKED}.28.33:8080
  • http://{BLOCKED}.{BLOCKED}.75.120:443
  • http://{BLOCKED}.{BLOCKED}.246:8080
  • http://{BLOCKED}.{BLOCKED}.88.10:8080
  • http://{BLOCKED}.{BLOCKED}.39.149:8080
  • http://{BLOCKED}.{BLOCKED}.226.45:443
  • http://{BLOCKED}.{BLOCKED}.115.99:8080
  • http://{BLOCKED}.{BLOCKED}.166.162:443
  • http://{BLOCKED}.{BLOCKED}.253.162:8080
  • http://{BLOCKED}.{BLOCKED}.28.199:8080
  • http://{BLOCKED}.{BLOCKED}.45.86:4143
  • http://{BLOCKED}.{BLOCKED}.150.244:8080
  • http://{BLOCKED}.{BLOCKED}.142.56:8080
  • http://{BLOCKED}.{BLOCKED}.66.124:8080
  • http://{BLOCKED}.{BLOCKED}.117.186:8080
  • http://{BLOCKED}.{BLOCKED}.0.91:8080
  • http://{BLOCKED}.{BLOCKED}.193.249:8080
  • http://{BLOCKED}.{BLOCKED}.135.165:8080
  • http://{BLOCKED}.{BLOCKED}.30.83:443
  • http://{BLOCKED}.{BLOCKED}.21.73:7080
  • http://{BLOCKED}.{BLOCKED}.2.232:8080
  • http://{BLOCKED}.{BLOCKED}.242.26:8080
  • http://{BLOCKED}.{BLOCKED}.188.93:443
  • http://{BLOCKED}.{BLOCKED}.140.115:443
  • http://{BLOCKED}.{BLOCKED}.79.14:8080
  • http://{BLOCKED}.{BLOCKED}.98.206:8080
  • http://{BLOCKED}.{BLOCKED}.35.198:8080
  • http://{BLOCKED}.{BLOCKED}.20.25:443
  • http://{BLOCKED}.{BLOCKED}.227.137:8080
  • http://{BLOCKED}.{BLOCKED}.24.231:80
  • http://{BLOCKED}.{BLOCKED}.222.101:443
  • http://{BLOCKED}.{BLOCKED}.66.193:8080
  • http://{BLOCKED}.{BLOCKED}.201.2:443
  • http://{BLOCKED}.{BLOCKED}.115.122:8080
  • http://{BLOCKED}.{BLOCKED}.20.155:443
  • http://{BLOCKED}.{BLOCKED}.251.154:8080
  • http://{BLOCKED}.{BLOCKED}.100.222:8080
  • http://{BLOCKED}.{BLOCKED}.140.238:7080
  • http://{BLOCKED}.{BLOCKED}.222.11:443
  • http://{BLOCKED}.{BLOCKED}.152.127:8080