Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

BackDoor.Siggen2.3238

Added to the Dr.Web virus database: 2020-09-02

Virus description added:

Compilation date:

  • 03.04.2019 15:23:54

SHA1 hash:

  • 3884263dfe67a3da0079fe40d6186950b853145c

Description

A backdoor trojan for 32-bit Microsoft Windows operating systems. It is written in C++. Its main functionality is to obtain unauthorized access to infected computers and perform malicious actions on behalf of attackers.

Operating routine

Upon launching, BackDoor.Siggen2.3238 initiates a series of preliminary checkups. First, it receives the addresses of the following exported functions:

  • CreateDirectoryExW
  • NtQueryDirectoryFile
  • NtDeleteFile
  • NtWriteFile
  • NtReadFile
  • NtCreateFile
  • NtSetInformationFile

Next, it verifies the pointer to each function using the algorithm as follows:

screenshot #drweb

If the data at the pointer matches the one to be checked, the trojan allocates a memory region in the size of 1 byte, fills 10 bytes in this region with zeroes and tries to free it:

screenshot #drweb

This operation is performed for each exported function. By doing so, the backdoor most likely checks for the active hooks in the functions and attempts to terminate the active process.

BackDoor.Siggen2.3238 then checks if the false and true strings hardcoded in its code are matching. If they match, the trojan checks for the VMWare and VirtualBox components, namely VMWare Guest Additions, Virtual Machine Additions and Virtualbox Guest Additions, are present in the system. After this verification is complete, its results are reset, and the trojan enters an endless loop where it doesn’t perform any other action.

screenshot #drweb

The main functionality

BackDoor.Siggen2.3238 can connect to the C&C server using both HTTP and HTTPS protocols. The analyzed trojan sample uses the HTTPS protocol. When sending the requests to the server, the following User-Agent is used:

Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0; SE)

With that, all the requests are sent with the set of the parameters as follows:

%s;type=%s;length=%s;realdata=%send

where each %s string is correspondingly replaced by the strings shown below:

  • the infected computer ID
  • the type of the request to be sent
  • the length of the data in the realdata field
  • the data

After the initial verification is complete, BackDoor.Siggen2.3238 generates its own ID using the following function:

screenshot #drweb

Next, it collects the information about the infected system and forms the string shown below:

lan=%s;cmpname=%s;username=%s;version=%s;

where lan is the IP address of the infected computer, cmpname is the name of the computer, username is the user name, and version is a 0.0.4.03 string.

This information, paired with the sysinfo ID, is sent to the C&C server located at the https://31.214.157.14/log.txt. If BackDoor.Siggen2.3238 receives the HEART signal in response, the connection is considered successful, and the trojan proceeds to the main cycle of communication with the server.

To receive new commands, the backdoor sends the packet with the HEART command ID with the heart data. The server response that follows is parsed with the regular expression shown below:

type=([^&]+);first=([^&]+);second=([^&]+);third=([^&]+);

The type string in this response characterizes which command needs to be executed, while other strings contain the parameters for these commands.

BackDoor.Siggen2.3238 can receive the following commands:

CommandDescription
HEARTHeartbeat (Heartbeat (a beacon signal that keeps the C&C server and the backdoor connected).
OKA server confirmation indicating the data sent by the trojan has been received successfully.
CMDINFOTo launch the cmd.exe with the input-output redirection into the pipes, through which the data is sent to the server and back.
PROCESSINFOTo collect information about the running processes. The information about each process is represented as proName=%1%;PID=%2%;proPath=%3%;Tport=%4%;Uport=%5%;descrip=%6%;
PROCESSTERMINATETo kill the process with the specified PID.
LISTDRIVETo collect information about disks. The information about each disk is represented as diskName=%s;driveType=%s;.
LISTFILETo collect the listing of the specified directory. The information about each file or catalogue in it is represented as fileName=%1%;path=%2%;fileType=%3%;fileSize=%4%;access=%5%;create=%6%;.
DELETEFILETo delete the specified file.
DOWNLOADTo upload the specified file onto the server.
UPLOADTo download the specified file from the server.
RUNTo launch the specified file.

Curing recommendations

  1. If the operating system (OS) can be loaded (either normally or in safe mode), download Dr.Web Security Space and run a full scan of your computer and removable media you use. More about Dr.Web Security Space.
  2. If you cannot boot the OS, change the BIOS settings to boot your system from a CD or USB drive. Download the image of the emergency system repair disk Dr.Web® LiveDisk , mount it on a USB drive or burn it to a CD/DVD. After booting up with this media, run a full scan and cure all the detected threats.
Download Dr.Web

Download by serial number

Use Dr.Web Anti-virus for macOS to run a full scan of your Mac.

After booting up, run a full scan of all disk partitions with Dr.Web Anti-virus for Linux.

Download Dr.Web

Download by serial number

  1. If the mobile device is operating normally, download and install Dr.Web for Android. Run a full system scan and follow recommendations to neutralize the detected threats.
  2. If the mobile device has been locked by Android.Locker ransomware (the message on the screen tells you that you have broken some law or demands a set ransom amount; or you will see some other announcement that prevents you from using the handheld normally), do the following:
    • Load your smartphone or tablet in the safe mode (depending on the operating system version and specifications of the particular mobile device involved, this procedure can be performed in various ways; seek clarification from the user guide that was shipped with the device, or contact its manufacturer);
    • Once you have activated safe mode, install the Dr.Web for Android onto the infected handheld and run a full scan of the system; follow the steps recommended for neutralizing the threats that have been detected;
    • Switch off your device and turn it on as normal.

Find out more about Dr.Web for Android