Trojan.Siggen18.27281

Technical Information

Malicious functions

Terminates or attempts to terminate

the following system processes:

%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe

Modifies file system

Creates the following files

%WINDIR%\temp\easyconnectinstaller.exe
%APPDATA%\baiduyunguanjia\16587144430802f9f800.dat
%TEMP%\baidu\autoupdate\config.ini
%TEMP%\baidu\autoupdate\autoupdateutil.dll
%TEMP%\baidu\autoupdate\autoupdate.exe
%TEMP%\baidu\autoupdate\launcher.exe
%TEMP%\baidu\autoupdate\elevator.exe
%TEMP%\baidu\autoupdate\k
%TEMP%\baidu\autoupdate\stage1.exe
%APPDATA%\baiduyunguanjia\16587144437ada7a23ab.dat
%WINDIR%\temp\download\mainapp\update.cab.downloading
%APPDATA%\baiduyunguanjia\1658714422fa6b6e46d4.dat
%APPDATA%\baiduyunguanjia\1658714421c5c4c8a8dd.dat
%APPDATA%\baiduyunguanjia\localdata.dat
%APPDATA%\baiduyunguanjia\165871442181feb597da.dat
%WINDIR%\temp\download\autoupdate.xml.downloading
%TEMP%\nscf46e.tmp\system.dll
%TEMP%\nsmf45d.tmp
%APPDATA%\easyconnect_14669\easyconnectinstallerraw.exe
%WINDIR%\temp\config.ini
%WINDIR%\temp\autoupdateutil.dll
%WINDIR%\temp\autoupdate.exe
%APPDATA%\baiduyunguanjia\1658714444074a7621a9.dat
%WINDIR%\temp\download\packageinfo.xml

Deletes the following files

%APPDATA%\baiduyunguanjia\localdata.dat
%APPDATA%\baiduyunguanjia\16587144437ada7a23ab.dat
%APPDATA%\baiduyunguanjia\16587144430802f9f800.dat
%WINDIR%\temp\autoupdate.exe.old
%WINDIR%\temp\autoupdateutil.dll.old
%WINDIR%\temp\config.ini.old
%WINDIR%\temp\download\autoupdate.xml.old.0
%APPDATA%\baiduyunguanjia\1658714444074a7621a9.dat
%WINDIR%\temp\download\mainapp\update.cab
%WINDIR%\temp\k

Moves the following files

from %WINDIR%\temp\download\autoupdate.xml.downloading to %WINDIR%\temp\download\autoupdate.xml
from %WINDIR%\temp\download\mainapp\update.cab.downloading to %WINDIR%\temp\download\mainapp\update.cab
from %TEMP%\baidu\autoupdate\stage1.exe to %WINDIR%\temp\stage1.exe
from %TEMP%\baidu\autoupdate\k to %WINDIR%\temp\k
from %TEMP%\baidu\autoupdate\elevator.exe to %WINDIR%\temp\elevator.exe
from %TEMP%\baidu\autoupdate\launcher.exe to %WINDIR%\temp\launcher.exe
from %WINDIR%\temp\autoupdate.exe to %WINDIR%\temp\autoupdate.exe.old
from %WINDIR%\temp\autoupdateutil.dll to %WINDIR%\temp\autoupdateutil.dll.old
from %WINDIR%\temp\config.ini to %WINDIR%\temp\config.ini.old
from %WINDIR%\temp\download\autoupdate.xml to %WINDIR%\temp\download\autoupdate.xml.old.0
from %WINDIR%\temp\stage1.exe to \:wtf

Substitutes the following files

%APPDATA%\baiduyunguanjia\localdata.dat
%WINDIR%\temp\autoupdate.exe
%WINDIR%\temp\autoupdateutil.dll
%WINDIR%\temp\config.ini

Network activity

Connects to

'se############5y-1251969815.gz.apigw.tencentcs.com':443
'up####.pan.baidu.com':80
'localhost':49179
'localhost':49181
'ba##u.com':443
'localhost':49184
'localhost':49186
'localhost':49189
'localhost':49191
'localhost':49194
'localhost':49196
'localhost':49199
'localhost':49201

TCP

HTTP POST requests

http://up####.pan.baidu.com/statistics?cl###############################################################################################################################

Other

'se############5y-1251969815.gz.apigw.tencentcs.com':443
'localhost':49199
'localhost':49197
'localhost':49196
'localhost':49194
'localhost':49192
'localhost':49191
'localhost':49201
'localhost':49189
'localhost':49186
'localhost':49184
'ba##u.com':443
'localhost':49182
'localhost':49181
'localhost':49179
'localhost':49187
'localhost':49202

UDP

DNS ASK se############5y-1251969815.gz.apigw.tencentcs.com
DNS ASK up####.pan.baidu.com
DNS ASK ba##u.com

Miscellaneous

Searches for the following windows

ClassName: 'MozillaWindowClass' WindowName: ''

Creates and executes the following

'%WINDIR%\temp\easyconnectinstaller.exe'
'%WINDIR%\temp\autoupdate.exe'
'%APPDATA%\easyconnect_14669\easyconnectinstallerraw.exe'
'%WINDIR%\temp\stage1.exe'
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avpcc'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avp'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavfs'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavpf'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavtray'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsMain'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avpm'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsDaemon'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsTray'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360safe'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360sd'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360Tray'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'ZhuDongFangYu'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsLog'} }"' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'ccSetMgr'} }"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'ZhuDongFangYu'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360Tray'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360sd'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq '360safe'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsTray'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsDaemon'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsMain'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'HipsLog'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavtray'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavpf'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'kavfs'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avp'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avpcc'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'avpm'} }"
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -c "& { Get-Process | Where-Object {$_.ProcessName -eq 'ccSetMgr'} }"

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial