Trojan.Siggen15.1985

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\firefox default browser agent cfc09828f3e50a07

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

blocks the following features:

User Account Control (UAC)

adds antivirus exclusion with following registry keys:

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths] '%TEMP%\312F.exe' = '00000000'

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\jsc.exe

Searches for registry branches where third party applications store passwords

[<HKCU>\Software\Martin Prikryl]
[<HKLM>\Software\Wow6432Node\Martin Prikryl]

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%LOCALAPPDATA%\google\chrome\user data\default\cookies
%APPDATA%\opera software\opera stable\login data
%APPDATA%\mozilla\firefox\profiles.ini
%APPDATA%\thunderbird\profiles.ini

Searches for windows to

detect analytical utilities:

ClassName: 'FilemonClass', WindowName: ''
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: 'RegmonClass', WindowName: ''

Modifies file system

Creates the following files

%APPDATA%\fccruad
%TEMP%\9d86.tmp-shm
%TEMP%\9db6.tmp
%TEMP%\9fc9.tmp
%TEMP%\9fda.tmp
%TEMP%\9ffa.tmp
%TEMP%\a01a.tmp
%TEMP%\a0e6.tmp
%LOCALAPPDATA%low\bbsqwy6yhk
%TEMP%\9d86.tmp
%TEMP%\a106.tmp
%TEMP%\a128.tmp
%TEMP%\a139.tmp
%TEMP%\a14a.tmp
%TEMP%\a14b.tmp
%TEMP%\a16b.tmp
%TEMP%\a16b.tmp-shm
%LOCALAPPDATA%low\ad1rf3am8r\ej7xg7cq_5q.zip
%TEMP%\a117.tmp
%TEMP%\a118.tmp
%LOCALAPPDATA%low\gxix4a2dre
%LOCALAPPDATA%low\exuieaoeii
%LOCALAPPDATA%low\3solbph71y
%TEMP%\685.exe
%TEMP%\19c7.exe
%TEMP%\312f.exe
%TEMP%\364e.exe
%TEMP%\3a07.exe
%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\advancedrun.exe
%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\test.bat
%TEMP%\44d1.exe
%APPDATA%\twtajic
%LOCALAPPDATA%low\sqlite3.dll
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol
%LOCALAPPDATA%low\1xvpfvjcrg
%LOCALAPPDATA%low\rywtiizs2t
%LOCALAPPDATA%low\rqf69azbla
%LOCALAPPDATA%low\x3cf3ednhm
%LOCALAPPDATA%low\fraqbc8wsa
%LOCALAPPDATA%low\fraqbc8ws-shm
%LOCALAPPDATA%low\hwsi7f4qi-shm

Sets the 'hidden' attribute to the following files

%APPDATA%\fccruad
%APPDATA%\twtajic

Deletes the following files

%LOCALAPPDATA%low\fraqbc8wsa
%LOCALAPPDATA%low\fraqbc8ws-shm
%LOCALAPPDATA%low\ad1rf3am8r\ej7xg7cq_5q.zip
%TEMP%\a16b.tmp
%TEMP%\a16b.tmp-shm
%TEMP%\a14b.tmp
%TEMP%\a14a.tmp
%TEMP%\a139.tmp
%TEMP%\a128.tmp
%TEMP%\a118.tmp
%TEMP%\a117.tmp
%TEMP%\a106.tmp
%TEMP%\a0e6.tmp
%TEMP%\a01a.tmp
%TEMP%\9ffa.tmp
%TEMP%\9fda.tmp
%TEMP%\9fc9.tmp
%TEMP%\9db6.tmp
%TEMP%\9d86.tmp
%TEMP%\9d86.tmp-shm
%LOCALAPPDATA%low\bbsqwy6yhk
%LOCALAPPDATA%low\gxix4a2dre
%LOCALAPPDATA%low\exuieaoeii
%LOCALAPPDATA%low\3solbph71y
%LOCALAPPDATA%low\x3cf3ednhm
%LOCALAPPDATA%low\rqf69azbla
%LOCALAPPDATA%low\rywtiizs2t
%LOCALAPPDATA%low\1xvpfvjcrg
%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\test.bat
%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\advancedrun.exe
%LOCALAPPDATA%low\hwsi7f4qi-shm
%LOCALAPPDATA%low\sqlite3.dll

Deletes itself.

Network activity

Connects to

're######istforaugust2.xyz':80
're######istforaugust8.xyz':80
'18#.#9.70.90':2080
'13#.#43.65.8':48715
'18#.#67.97.37':30902
'ge###tool.com':80
'ge###tool.com':443
'5.###.156.252':80
'65.##.90.212':6607
'ap#.ip.sb':443
'microsoft.com':80

TCP

HTTP GET requests

http://5.###.156.252//l/f/HhLLkHsBPvGyIjkLQ5KA/4d5a557923f4edd315933f65183ff9d5368a00a6
http://5.###.156.252//l/f/HhLLkHsBPvGyIjkLQ5KA/3e049529b61f948cf6742d2ed8631efa932b8d7a

HTTP POST requests

http://5.###.156.252/
http://re######istforaugust8.xyz/

Other

'13#.#43.65.8':48715
'18#.#67.97.37':30902
'ge###tool.com':443
'te##te.in':443
'65.##.90.212':6607
'ap#.ip.sb':443

UDP

DNS ASK re######istforaugust1.xyz
DNS ASK re######istforaugust2.xyz
DNS ASK re######istforaugust3.xyz
DNS ASK re######istforaugust4.xyz
DNS ASK re######istforaugust5.xyz
DNS ASK re######istforaugust6.xyz
DNS ASK re######istforaugust7.xyz
DNS ASK re######istforaugust8.xyz
DNS ASK ge###tool.com
DNS ASK ge###tatool.com
DNS ASK te##te.in
DNS ASK ap#.ip.sb
DNS ASK microsoft.com

Miscellaneous

Searches for the following windows

ClassName: 'File Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: 'Process Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: 'Registry Monitor - Sysinternals: www.sysinternals.com' WindowName: ''
ClassName: '18467-41' WindowName: ''

Creates and executes the following

'%TEMP%\685.exe'
'%TEMP%\19c7.exe'
'%TEMP%\312f.exe'
'%TEMP%\364e.exe'
'%TEMP%\3a07.exe'
'%TEMP%\44d1.exe'
'%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\advancedrun.exe' /EXEFilename "%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run
'%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\advancedrun.exe' /SpecialRun 4101d8 1660
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "%TEMP%\312F.exe" -Force
'%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\advancedrun.exe' /EXEFilename "%TEMP%\55f1c548-8323-46ca-b5cf-75ed5b7c7e26\test.bat" /WindowState ""0"" /PriorityClass ""32"" /CommandLine "" /StartDirectory "" /RunAs 8 /Run' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath "%TEMP%\312F.exe" -Force' (with hidden window)

Executes the following

'%WINDIR%\syswow64\explorer.exe'
'%WINDIR%\explorer.exe'
'%WINDIR%\microsoft.net\framework\v4.0.30319\jsc.exe'

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial