Trojan.Siggen20.43334

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Anti DDoS' = '%ProgramFiles(x86)%\Anti DDoS Guardian 6.1\AntiDDoS.exe'

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\NBlocker] 'Start' = '00000001'
[HKLM\System\CurrentControlSet\Services\NBlocker] 'ImagePath' = 'system32\DRIVERS\nblocker.sys'
[HKLM\System\CurrentControlSet\Services\BeeThinkBlockerService] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\BeeThinkBlockerService] 'ImagePath' = '%ProgramFiles(x86)%\Anti DDoS Guardian 6.1\BlockerService.exe'
[HKLM\System\CurrentControlSet\Services\StopBruteForceService] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\StopBruteForceService] 'ImagePath' = '%ProgramFiles(x86)%\Anti DDoS Guardian 6.1\StopBruteForceService.exe'

Creates the following services

'NBlocker' system32\DRIVERS\nblocker.sys
'BeeThinkBlockerService' %ProgramFiles(x86)%\Anti DDoS Guardian 6.1\BlockerService.exe
'StopBruteForceService' %ProgramFiles(x86)%\Anti DDoS Guardian 6.1\StopBruteForceService.exe

Malicious functions

Executes the following

'%WINDIR%\syswow64\taskkill.exe' /f /im "BlockerService.exe"

Modifies file system

Creates the following files

%TEMP%\rarsfx0\replace.exe
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-77d9f.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-435bo.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-sithg.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-tsthg.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-5291k.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-bm43h.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\anti ddos guardian 6.1.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\mini ip blocker 1.0.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\anti ddos guardian on the web.url
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\uninstall anti ddos guardian.lnk
C:\users\public\desktop\anti ddos guardian 6.1.lnk
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-65i05.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-v1h3l.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\anti ddos guardian help.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\stop rdp brute force 1.0.lnk
C:\users\public\desktop\stop rdp brute force 1.0.lnk
%ProgramFiles(x86)%\anti ddos guardian 6.1\unins000.dat
%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9b83.tmp
%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9c6e.tmp
%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9d59.tmp
<SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat
%WINDIR%\inf\oem2.pnf
<DRIVERS>\setf92d.tmp
%WINDIR%\temp\uddfd61.tmp
%WINDIR%\temp\fwtsqmfile01.sqm
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\beethink ip address whois 1.0.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\anti ddos guardian 6.1\beethink ip address whois help.lnk
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-4b8tm.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-nkqme.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-07njl.tmp
%TEMP%\rarsfx0\cybermania.url
%TEMP%\is-2jmoo.tmp\setup.tmp
%TEMP%\is-g57op.tmp\_isetup\_setup64.tmp
%TEMP%\is-g57op.tmp\crypto.dll
%TEMP%\is-g57op.tmp\common.dll
%TEMP%\is-g57op.tmp\installhelper.dll
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-1fo4q.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-63jd8.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-snikk.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-jk9bq.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-jq7qu.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-lb8eq.tmp
%TEMP%\rarsfx0\setup.exe
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-kgsre.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-prnj4.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-aigao.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-tn1m6.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-q8cpk.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-rmhu4.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-ldnkr.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-2ro7l.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-vdnbv.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-jh80n.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-qqc4q.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-u1t6i.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-5u8hh.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\is-kh18r.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\antiddos.exe
%ProgramFiles(x86)%\anti ddos guardian 6.1\common.dll

Sets the 'hidden' attribute to the following files

<SYSTEM32>\catroot\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\oem2.cat

Deletes the following files

%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.cat
%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.inf
%TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.sys
%WINDIR%\temp\uddfd61.tmp
%ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.inf
%ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.sys
%ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.cat
%ProgramFiles(x86)%\anti ddos guardian 6.1\beethink.cer
%TEMP%\is-g57op.tmp\common.dll
%TEMP%\is-g57op.tmp\crypto.dll
%TEMP%\is-g57op.tmp\installhelper.dll
%TEMP%\is-g57op.tmp\_isetup\_setup64.tmp
%TEMP%\is-2jmoo.tmp\setup.tmp
%TEMP%\rarsfx0\cybermania.url
%TEMP%\rarsfx0\replace.exe
%TEMP%\rarsfx0\setup.exe

Moves the following files

from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-1fo4q.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\unins000.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-5u8hh.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\beethink.cer
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-07njl.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\whois.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-nkqme.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\whois.chm
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-4b8tm.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\stopbruteforce.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-65i05.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\stopbruteforceservice.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-v1h3l.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\blockerservice.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-435bo.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\china.lst
from %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9d59.tmp to %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.sys
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-sithg.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\india.lst
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-tsthg.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\iran.lst
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-5291k.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\russia.lst
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-bm43h.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\ukraine.lst
from %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9b83.tmp to %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.cat
from %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\set9c6e.tmp to %TEMP%\{4ab664d3-9b46-545a-c8bc-60438bb50613}\nblocker.inf
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-u1t6i.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.cat
from %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\is-77d9f.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\country ip\brazil.lst
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-qqc4q.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.sys
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-kh18r.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\listupdate.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-63jd8.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\7zdec.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-snikk.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\zlib1.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-jk9bq.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\rules.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-jq7qu.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\crypto.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-lb8eq.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\common.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-kgsre.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\http.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-prnj4.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\antiddos.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-vdnbv.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\install.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-aigao.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\reg.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-tn1m6.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\tray.dll
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-q8cpk.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\antiddos.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-rmhu4.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\ipblockerdemon.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-ldnkr.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\miniipblocker.exe
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-2ro7l.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\antiddos.chm
from %ProgramFiles(x86)%\anti ddos guardian 6.1\is-jh80n.tmp to %ProgramFiles(x86)%\anti ddos guardian 6.1\nblocker.inf
from <DRIVERS>\setf92d.tmp to <DRIVERS>\nblocker.sys

Modifies the following files

Network activity

UDP

DNS ASK microsoft.com
DNS ASK cy###mania.ws
'localhost':51758
'localhost':58965
'localhost':59972
'localhost':59975

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: 'Г“ВІВјГѕВ°ВІГ—В°'
ClassName: '' WindowName: 'Hardware Installation'
ClassName: '' WindowName: 'Digital Signature Not Found'
ClassName: '' WindowName: 'Windows Security'
ClassName: '' WindowName: ''
ClassName: 'Static' WindowName: ''
ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''

Creates and executes the following

'%TEMP%\rarsfx0\setup.exe' /silent
'%TEMP%\is-2jmoo.tmp\setup.tmp' /SL5="$10244,2198573,121344,%TEMP%\RarSFX0\Setup.exe" /silent
'%ProgramFiles(x86)%\anti ddos guardian 6.1\install.exe' a
'%ProgramFiles(x86)%\anti ddos guardian 6.1\blockerservice.exe' install
'%ProgramFiles(x86)%\anti ddos guardian 6.1\blockerservice.exe' start
'%ProgramFiles(x86)%\anti ddos guardian 6.1\blockerservice.exe'
'%ProgramFiles(x86)%\anti ddos guardian 6.1\stopbruteforceservice.exe' install
'%ProgramFiles(x86)%\anti ddos guardian 6.1\stopbruteforceservice.exe' start
'%ProgramFiles(x86)%\anti ddos guardian 6.1\stopbruteforceservice.exe'
'%TEMP%\rarsfx0\replace.exe'

Executes the following

'%WINDIR%\syswow64\certutil.exe' -f -addstore "TrustedPublisher" "%ProgramFiles(x86)%\Anti DDoS Guardian 6.1\BeeThink.cer"

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial