Trojan.Kryptik.EDAJ

By CagedTech in Trojans

Table of Contents

Analysis Report

General information

Family Name:	Trojan.Kryptik.EDAJ
Signature status:	No Signature

Known Samples

MD5: c97f93932330553a3357cc494b29723f

SHA1: d5720bc6255c524e5f98b403fcb84dbf89617ad8

SHA256: 2A473C150EBDEC637F0938E59681F9119E7485A3D673DD77037EF6248B981151

File Size: 2.54 MB, 2539520 bytes

MD5: f6a0aaf746095a75c0420c98232249f6

SHA1: 8f13ce1901541e97ec4098f6222df5c40dddc32e

SHA256: 73A94368925F13713D827DD8E56A300C9EB1C0FD0569E38209A0E3373FAA73FD

File Size: 2.54 MB, 2539520 bytes

MD5: 957cb2d0a8944d460028c62d313b32e7

SHA1: 13894ffa1e14e052ffafca2e0a5c59bd7c9acbc8

SHA256: 273E24BD9F15CE339BCACB82E57EA28CD8594A526FBBE3A6444427D25EB14051

File Size: 2.54 MB, 2539520 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have exports table
File doesn't have resources
File doesn't have security information
File has TLS information
File is 64-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)
File is not packed

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Traits

CryptUnprotectData
fptable
No CryptProtectData
No Version Info
ntdll
VirtualQueryEx
x64

Block Information

Total Blocks:	2,091
Potentially Malicious Blocks:	953
Whitelisted Blocks:	1,138
Unknown Blocks:	0

Visual Map

x x 0 x 0 x 0 x 0 0 0 0 0 0 0 x 0 x x x x x x x x x 0 x 0 x 0 0 x 0 x x 0 0 x x x x x x x x x 0 0 0 x x x x x x 0 x 0 x x x x x x x 0 0 x x x x x x 0 0 0 0 x x 0 0 0 x 0 x x 0 x 0 x 0 0 0 0 0 x 0 0 x 0 x x x 0 0 x 0 0 0 x x 0 x x x x 0 0 x 0 0 x x x x x 0 x x x 0 x 0 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 0 x 0 0 x 0 x x 0 0 x 0 x 0 x 0 0 x 0 0 x x x x x 0 0 0 x x 0 0 x x x 0 0 0 0 x x 0 0 x x 0 0 0 x 0 x 0 x 0 0 x 0 0 0 x x x x x x 0 x 0 x 0 0 0 x 0 0 0 0 x x x x x x 0 x 0 x x x x 0 0 0 x x x x x x x x x x 0 x 0 0 0 0 x x 0 x x x x x x x x x 0 0 0 0 x x x x x 0 x x x x 0 x x 0 0 0 0 x x x x x x x x x x 0 x x x x 0 x 0 x 0 0 x x x x 0 x x 0 x 0 x x x 0 0 x x 0 x 0 x x x 0 x x 0 0 x 0 x 0 x x x 0 x 0 x x x 0 0 x 0 0 x x 0 x 0 x x 0 x x 0 0 x x 0 x 0 0 0 x x 0 0 x 0 0 0 x x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 x 0 x x 0 0 0 x 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 x x 0 x x x x x x 0 x x 0 x 0 x 0 0 0 0 0 x x x x x x 0 0 x 0 0 x x x x x 0 x 0 x x 0 x 0 x x x 0 x 0 0 x 0 x x 0 x x 0 0 x x 0 0 x x x 0 x 0 0 x x x 0 0 x x 0 x x x x x x x x 0 x 0 0 0 x 0 0 x 0 x x x 0 0 0 0 0 0 x x 0 x 0 x 0 x 0 0 0 0 0 x x x 0 0 x 0 x 0 0 x x x x x 0 0 x x x x 0 x x x 0 0 x x x x 0 x 0 0 x x x x 0 0 x 0 0 x x x x 0 0 x 0 x x x x 0 0 x x 0 0 x x x 0 0 x x x x 0 x 0 x 0 x 0 x x x x x x x x x 0 0 0 x x 0 x 0 x x x x 0 0 x x x x 0 x x 0 0 0 x x x 0 0 x x x x x x x x x 0 x 0 x x x x x 0 0 0 0 x 0 x 0 x 0 x 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 x 0 x x x x 0 x 0 0 0 0 x 0 x 0 x 0 x 0 0 0 0 x 0 x 0 x 0 0 0 0 0 0 x 0 x 0 x 0 x 0 0 0 0 x 0 x x x 0 x 0 x 0 0 0 0 x 0 x x x 0 x 0 x 0 0 0 0 x 0 x 0 x x 0 x x 0 0 0 0 x 0 0 0 0 x 0 x 0 x 0 x x x 1 x x x x 0 x x x x x 0 0 x x x x x 0 x x x x 0 0 0 0 x 0 0 x 0 x x 0 0 0 x 0 0 x 0 0 x x x x 0 x x x x 0 x x 0 x x 0 x x x x x 0 x x 0 0 0 x x x x x 0 x x x 0 0 0 0 x x 0 x x x x x x x x x 0 x x x x 0 0 0 0 0 0 x x 0 x x x x x x x 0 x x x x x x 0 0 x 0 0 x x x x 0 0 0 x 0 x x x x x x x x x x 0 0 0 x x 0 0 x 0 x x x x 0 x 0 0 x 0 0 0 x x x x x x 0 x 0 0 0 x x 0 x x x x x x 0 0 x 0 x x 0 x x 0 x x x 0 0 0 0 0 x x x 0 x x x x x 0 x 0 0 x x x 0 0 x 0 x 0 0 0 x 0 0 0 x 0 x x 0 0 0 0 x x x x x x 0 0 x 0 0 x x x 0 x x x x 0 x 0 x 0 0 x x x 0 0 x 0 x 0 x x 0 0 0 0 0 0 0 0 0 0 x x 0 x x x x 0 x 0 x 0 x 0 x 0 x x x 0 x 0 x 0 x 0 x x 0 x x x x x x x 0 0 0 x 0 x x x x 0 x x 0 0 x 0 0 0 0 0 x 0 x 0 x 0 0 x 0 x 0 x x 0 x x 0 x x x x x x x 0 x x x 0 x x x x 0 0 x x x x x x x 0 x x x x x 0 x x 0 0 0 x x 0 x x 0 x 0 0 0 0 x x x x x 0 x x 0 0 0 x 0 x 0 0 x 0 x 0 x x 0 x x 0 x x 0 x x 0 0 x x 0 0 x x x x x x 0 0 x x x x x x x 0 0 x x 0 x x 0 x x x x x 0 0 0 0 0 x 0 0 x x 0 x 0 0 0 0 0 x x 0 x x x x 0 x x x x 0 0 x x x x x x 0 x 0 x x x x x x 0 0 x x x 0 0 0 x 0 0 x 0 x x 0 x 0 0 0 x x 0 x 0 0 0 0 0 0 x 0 0 x 0 x x x x 0 0 0 0 0 x x x x x 0 x x x x x x 0 x 0 x x 0 0 0 x 0 0 x x x x 0 0 0 x 0 x x 0 x 0 x x 0 x x x x x 0 0 0 x 0 x 0 x x 0 0 x x 0 0 x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 0 0 0 0 0 0 x x 0 x 0 x x 0 0 0 x 0 x x x x 0 0 0 x 0 0 0 x x 0 x 0 x 0 0 0 0 0 x 0 0 0 0 x x x x x x 0 x x x x x 0 x x 0 0 0 x x 0 x x x 0 x 0 x x x 0 x x x x 0 x 0 x x 0 0 0 x 0 x 0 0 x x 0 x x x x 0 x x x x 0 x x x 0 x 0 0 0 x x x 0 x x 0 x 0 x x x 0 x x 0 x 0 x 0 x x x x x x x x x x x 0 0 x 0 x 0 x 0 0 0 0 1 0 1 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 2 0 2 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 x 0 x x x 0 x x x 0 x x x 0 x x x 0 x 0 0 0 0 x 0 x 0 0 0 x 0 x x 0 x 0 x 0 x x x x 0 x x x x x 0 0 x x x 0 x x x x x x 0 x x 0 x x x x 0 x x x x 0 0 x x 0 x x 0 0 x x x x x x x 0 0 x x x x 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Kryptik.EDAJ

Files Modified

File	Attributes
\device\namedpipe	Generic Write,Read Attributes
\device\namedpipe\dav rpc service	Generic Read,Write Data,Write Attributes,Write extended,Append data
\device\namedpipe\pshost.134136928048646637.4972.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134142956711232021.6348.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\pshost.134145072581043696.7824.defaultappdomain.powershell	Generic Read,Write Data,Write Attributes,Write extended,Append data,LEFT 524288
\device\namedpipe\wkssvc	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\powershell\startupprofiledata-noninteractive	Generic Write,Read Attributes
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.0.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.1.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\microsoft\windows\usrclass.dat{dba6b5ef-640a-11ed-9bcb-f677369d361c}.txr.2.regtrans-ms	Generic Read,Write Data,Write Attributes,Write extended,Append data

c:\users\user\appdata\local\temp\__psscriptpolicytest_g0h5py5y.o5r.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_mv0jkqzr.lug.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_oqmus3e4.zwv.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_sv1ra0zh.3ar.ps1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_svtqjrxs.lre.psm1	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\__psscriptpolicytest_ysppeara.z3s.psm1	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	䮛賓ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	鞑鐻ǜ	RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe		RegNtPreCreateKey

Windows API Usage

Category	API
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAllocateLocallyUniqueId ntdll.dll!NtAlpcConnectPort ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtCancelTimer2 Show More ntdll.dll!NtCancelWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtCompareSigningLevels ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateIoCompletion ntdll.dll!NtCreateKey ntdll.dll!NtCreateMutant ntdll.dll!NtCreateNamedPipeFile ntdll.dll!NtCreatePrivateNamespace ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtCreateThreadEx ntdll.dll!NtCreateTimer ntdll.dll!NtCreateTimer2 ntdll.dll!NtCreateWaitCompletionPacket ntdll.dll!NtCreateWorkerFactory ntdll.dll!NtDelayExecution ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFlushProcessWriteBuffers ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtFsControlFile ntdll.dll!NtGetCachedSigningLevel ntdll.dll!NtGetWriteWatch ntdll.dll!NtMapViewOfSection ntdll.dll!NtNotifyChangeKey ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcess ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenSymbolicLinkObject ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryDefaultLocale ntdll.dll!NtQueryDirectoryFileEx ntdll.dll!NtQueryFullAttributesFile ntdll.dll!NtQueryInformationFile ntdll.dll!NtQueryInformationJobObject ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryLicenseValue ntdll.dll!NtQueryObject ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySymbolicLinkObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQuerySystemInformationEx ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtQueueApcThreadEx2 ntdll.dll!NtReadFile ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRemoveIoCompletion ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtResetWriteWatch ntdll.dll!NtResumeThread ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationFile ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationObject ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationThread ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSetTimerEx ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl 26 additional items are not displayed above.
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	CreateProcess
Anti Debug	IsDebuggerPresent NtQuerySystemInformation
User Data Access	GetUserDefaultLocaleName GetUserName GetUserNameEx GetUserObjectInformation
Encryption Used	BCryptOpenAlgorithmProvider
Other Suspicious	AdjustTokenPrivileges
Process Terminate	TerminateProcess

Shell Command Execution


							C:\WINDOWS\System32\WindowsPowerShell\v1.0\powershell.exe "powershell" -Command "Get-Process | Select-Object Name"

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

Trojan.Kryptik.EDAJ

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Amysion.com

PUP.MSIL.HackAgent.XD

WowCoupon

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

Discord Shows Black Screen when Sharing Screen

How to Fix 'macOS cannot verify that this app is...