{"id":2943,"date":"2024-09-25T20:35:21","date_gmt":"2024-09-25T20:35:21","guid":{"rendered":"https:\/\/xdr-mdr.lmntrix.com\/main_web\/?p=2943"},"modified":"2025-07-29T06:47:18","modified_gmt":"2025-07-29T06:47:18","slug":"kryptik-malware-collecting-college-cash","status":"publish","type":"post","link":"https:\/\/lmntrix.com\/blog\/kryptik-malware-collecting-college-cash\/","title":{"rendered":"Kryptik malware collecting college cash"},"content":{"rendered":"
\n
\"Degree<\/figure>\n<\/div>\n\n\n

Overview<\/strong>

Since its creation six years ago, Kryptik malware has been used in various campaigns \u2013 the most of recent of which was in October last year<\/a> where 300,000 detections were recorded in the U.S alone. Interestingly, 94 per cent of these cases were in West Virginia, which coincided with elections for the state governor. 

We recently spotted a sample of the latest Kryptik variant which we\u2019ll dissect today. Most AV vendors detect this version as \u201cMSIL-Kryptik malware\u201d.

File details: 

\u2022    MD5: 245468fca16ae49742f45a95ce4d5a8a

\u2022    File Size: 869 KB<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

 
Figure 1 compiled in .net<\/em>

Static analysis<\/strong>

This variant is compiled in .net and one of the first things we noticed was a large list of resources named \u2018Membership_system\u2019:
<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 2  File resources<\/em>

The resources include files named \u2018account form\u2019, \u2018account list\u2019, \u2018account registration\u2019, and \u2018student form\u2019. 

After investigating further, our researchers spotted the same list of resources in the code\u2019s functions and classes:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Figure 3 \u2018Member_System\u2019 Functions and Classes<\/em>

Account_form and account_list contains boxes like \u2018username\u2019, \u2018password\u2019, \u2018first name\u2019 and \u2018last name\u2019. We also discovered buttons like btn_toggle (toggle), btn_update (update), btn_back (back), and btn_delete (delete). We checked the admin, payment, and student forms, and found each has details you\u2019d expect to see in a University form such as fee payment for the year, semester and class details. 

Dynamic analysis<\/strong>

We executed the sample in a controlled environment and discovered more artefacts such as the creation of folders and files in suspicious locations (%appdata%).<\/p>\n\n\n\n

Folders Created: 2
    c:\\Documents and Settings\\User Name\\Application Data\\Microsoft\\Windows
    c:\\Documents and Settings\\User Name\\Application Data\\Microsoft\\Windows\\DwiDesk<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n

File dropping tricks:<\/strong>

In general, a piece of malware will drop a file in the %appdata% location to maintain persistence with the help of run entry. In this case, we observed a trick where duplicate PE files are dropped in the following location:

\u201cc:\\Documents and Settings\\User Name\\Application Data\\Microsoft\\Windows\\DwiDesk\\ WinReg32.exe\u201d. 

A link file of the WinReg.exe is then copied into the %appdata% location \u201cc:\\Documents and Settings\\User Name\\Application Data\\WinReg.lnk\u201d. 

This link file is pointing to the PE file inside the \u201c%appdata%\\Microsoft\\Windows\\DwiDesk\\WinReg.exe\u201d location. This link file maintains persistence with the help of the following run entry:

Registry entry added:

\u2022    Key: “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce” 

\u2022    Value as “Load” 

Physical location as “c:\\Documents and Settings\\User Name\\Application Data\\WinReg32.lnk” 

IOC:<\/strong>

Files and Folder:

\u2022    MD5: 245468fca16ae49742f45a95ce4d5a8a

\u2022    \u201cc:\\Documents and Settings\\User Name\\Application Data\\WinReg.lnk\u201d                                                                  

\u2022    \u201cc:\\Documents and Settings\\User Name\\Application                                                                                                           Data\\Microsoft\\Windows\\DwiDesk\\WinReg.exe\u201d

\u2022    \u201cc:\\Documents and Settings\\User Name\\Application Data%\\Microsoft\\Windows\\DwiDesk\u201d

Malicious Domain:

\u2022    crackstar.ddns(.)net

Registry entries:

\u2022    “HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce”  \u201cLoad\u201d

\u2022    \u201cc:\\Documents and Settings\\User Name\\Application Data\\WinReg32.lnk\u201d

Conclusion<\/strong>

It is clear this variant is used to target University students. Our analysis indicates of the code shows a fake application has been developed to collect student payment details.

Students would be targeted with an email crafted to look as though it came from their education institution. The email would include a link leading the student to a website hosting the Kryptik malware. Thinking they\u2019re interacting with a legitimate website, students would be duped into handing their personal and payment details over to attackers. 

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Overview Since its creation six years ago, Kryptik malware has been used in various campaigns – the most of recent of which was in October last year where 300,000 detections were recorded in the U.S alone. Interestingly, 94 per cent of these cases were in West Virginia, which coincided with elections for the state governor.  […]<\/p>\n","protected":false},"author":1,"featured_media":2959,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[21],"tags":[],"class_list":["post-2943","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-labs"],"_links":{"self":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/comments?post=2943"}],"version-history":[{"count":6,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2943\/revisions"}],"predecessor-version":[{"id":4344,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/posts\/2943\/revisions\/4344"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media\/2959"}],"wp:attachment":[{"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/media?parent=2943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/categories?post=2943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lmntrix.com\/blog\/wp-json\/wp\/v2\/tags?post=2943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}