Home / malware Trojan:Win32/Kryptomix
First posted on 29 April 2019.
Source: MicrosoftAliases :
There are no other names known for Trojan:Win32/Kryptomix.
Explanation :
We have observed variants of this threat exhibit various behaviors. This analysis is based on the following sample files (SHA-256):
0a93b5aa6842c92672551cd07a323395b628aa6706f4ce7019d3d4391af78e8b 6e5de2363825ea1f2d921dd6b76aca80b52327bfb0e80e9de2ecbce7abc0989d dca9ebe7ad2194174a56bbd13f9af3d8713e0ba4f6b6368a368127a3a6a72ef4 Installation
When executed, this threat creates a copy of itself using one of the following file names:
winmgr.exe windrv.exe In one of the following folders: %Windows%M-%UserProfile%M- %Temp%M-
To run automatically, it creates one or more autorun registry entries for the dropped copy. If it has administrator privileges, it creates the following registry entry:
In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: Microsoft Windows DriverMicrosoft Windows Manager
With data:
If it doesn't have admin privileges, it creates this entry instead:
In subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun
Sets value: Microsoft Windows DriverMicrosoft Windows Manager
With data:
Propagation
To spread, this threat creates a folder named "_" in the root folder of removable and network drives. It then creates a copy of itself in that folder:
\_DeviceConfigManager.exe
It also creates the following files in the root folder: autorun.inf - drive autorun file DeviceConfigManager.vbs - VBS file that launches the dropped copy .lnk - shortcut file that launches the dropped copy It moves all other files found in the root folder to the newly created folder. It might delete files with the following extensions instead of moving them: .lnk .vbs .bat .js .scr .com .jse .cmd .pif .jar .dll Evasion
This threat attempts to turn off Windows Defender Antivirus by modifying its management control in the policy hive of the registry. To be successful, it needs administrator privileges.
It also attempts to modify the following registry entry to add itself as an authorized application on the Windows Defender Firewall:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfileAuthorizedApplicationsList
Backdoor payload
This threat attempts to connect to an IRC server, join a channel, and await commands. Once this backdoor channel is established, an attacker can perform a number of actions on the infected computer, including:
Join a particular IRC channel Upload and run arbitrary files Update the malware
The threat appears to connect to the following hardcoded address:
220.181.87.80Last update 29 April 2019