Trojan.Siggen32.60954

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run] 'SMΔRT-Protection' = '%ProgramFiles(x86)%\Smadav\SMΔRTP.exe rts'

Creates or modifies the following files

<SYSTEM32>\tasks\smadav
<SYSTEM32>\tasks\smadavsecondaryupdater

Modifies file system

Creates the following files

%TEMP%\rarsfx0\keygen.7z
%TEMP%\rarsfx0\smadav2026rev1582.exe
%TEMP%\rarsfx0\cybermania.url
%TEMP%\is-bfekp.tmp\smadav2026rev1582.tmp
%TEMP%\is-go7ft.tmp\_isetup\_setup64.tmp
%TEMP%\is-go7ft.tmp\_isetup\_shfoldr.dll
%TEMP%\is-go7ft.tmp\_isetup\_isdecmp.dll
%ProgramFiles(x86)%\smadav\is-r7e3t.tmp
%ProgramFiles(x86)%\smadav\is-jh628.tmp
%ProgramFiles(x86)%\smadav\is-lont6.tmp
%ProgramFiles(x86)%\smadav\is-trrk6.tmp
%ProgramFiles(x86)%\smadav\is-lmaoa.tmp
%ProgramFiles(x86)%\smadav\is-rad38.tmp
%ProgramFiles(x86)%\smadav\is-gri97.tmp
%ProgramFiles(x86)%\smadav\is-o8jjb.tmp
%ProgramFiles(x86)%\smadav\is-vi735.tmp
%ProgramFiles(x86)%\smadav\is-dhh4h.tmp
%ProgramFiles(x86)%\smadav\is-1km6j.tmp
%ProgramFiles(x86)%\smadav\is-f8lp5.tmp
%ProgramFiles(x86)%\smadav\is-jhqv7.tmp
%ProgramFiles(x86)%\smadav\is-eb1bq.tmp
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\smadav antivirus\smadav.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\smadav antivirus\uninstall smadav.lnk
C:\users\public\desktop\smadδv.lnk
%ProgramFiles(x86)%\smadav\unins000.dat
%APPDATA%\smadav\smadav.xml
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-6a3ea4eb-11b8.pma
%TEMP%\{522d275d-149f-42c2-aadc-d919fcc86882}.png
%LOCALAPPDATA%\microsoft\windows\explorer\notifyicon\microsoft.explorer.notification.{cddbe50f-224c-1345-8e2b-b59e32721535}.png
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-6a3ea4f2-448.pma
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000002
%LOCALAPPDATA%\microsoft\edge\user data\default\000002.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\log
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_3
%LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\reporting and nel
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\f_000001
%LOCALAPPDATA%\microsoft\edge\user data\default\code cache\js\ee170ef3b427c5fa_0
%APPDATA%\smadav\smadavsecondaryupdater.xml
%LOCALAPPDATA%\microsoft\edge\user data\default\code cache\js\index-dir\temp-index
%LOCALAPPDATA%\microsoft\edge\user data\default\code cache\js\9e5c59d5a0eec716_0

Deletes following files that it created itself

%TEMP%\is-go7ft.tmp\_isetup\_isdecmp.dll
%TEMP%\is-go7ft.tmp\_isetup\_setup64.tmp
%TEMP%\is-go7ft.tmp\_isetup\_shfoldr.dll
%TEMP%\is-bfekp.tmp\smadav2026rev1582.tmp
%APPDATA%\smadav\smadav.xml
%TEMP%\{522d275d-149f-42c2-aadc-d919fcc86882}.png
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001

Moves the following files

from %ProgramFiles(x86)%\smadav\is-r7e3t.tmp to %ProgramFiles(x86)%\smadav\unins000.exe
from %ProgramFiles(x86)%\smadav\is-jh628.tmp to %ProgramFiles(x86)%\smadav\readme.txt
from %ProgramFiles(x86)%\smadav\is-lont6.tmp to %ProgramFiles(x86)%\smadav\smδrtp.exe
from %ProgramFiles(x86)%\smadav\is-trrk6.tmp to %ProgramFiles(x86)%\smadav\smadav.loov
from %ProgramFiles(x86)%\smadav\is-lmaoa.tmp to %ProgramFiles(x86)%\smadav\smadav-updater.exe
from %ProgramFiles(x86)%\smadav\is-rad38.tmp to %ProgramFiles(x86)%\smadav\smadengine.dll
from %ProgramFiles(x86)%\smadav\is-gri97.tmp to %ProgramFiles(x86)%\smadav\smadextmenu64.dll
from %ProgramFiles(x86)%\smadav\is-o8jjb.tmp to %ProgramFiles(x86)%\smadav\smadhook32c.dll
from %ProgramFiles(x86)%\smadav\is-vi735.tmp to %ProgramFiles(x86)%\smadav\smadhook64c.dll
from %ProgramFiles(x86)%\smadav\is-dhh4h.tmp to %ProgramFiles(x86)%\smadav\smadavprotect32.exe
from %ProgramFiles(x86)%\smadav\is-1km6j.tmp to %ProgramFiles(x86)%\smadav\smadavprotect64.exe
from %ProgramFiles(x86)%\smadav\is-f8lp5.tmp to %ProgramFiles(x86)%\smadav\smadavhelper.exe
from %ProgramFiles(x86)%\smadav\is-jhqv7.tmp to %ProgramFiles(x86)%\smadav\smadavsecondaryupdater.exe
from %ProgramFiles(x86)%\smadav\is-eb1bq.tmp to %ProgramFiles(x86)%\smadav\smadenginehelper.dll
from %LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current
from %ProgramFiles(x86)%\smadav\smadextmenu64.dll to %ProgramFiles(x86)%\smadav\smadextc64.dll

Modifies the following files

%LOCALAPPDATA%\microsoft\edge\user data\last version
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
%LOCALAPPDATA%\microsoft\edge\user data\default\web data-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\web data
%LOCALAPPDATA%\microsoft\edge\user data\default\visited links
%LOCALAPPDATA%\microsoft\edge\user data\default\history-journal
%LOCALAPPDATA%\microsoft\tokenbroker\cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres
%LOCALAPPDATA%\microsoft\edge\user data\default\history
%TEMP%\.ses

Substitutes the following files

%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG

Network activity

Connects to

'co####.edge.skype.com':443
'cy###mania.ws':443
'go#####agmanager.com':443
'dr#######bidk.cloudfront.net':443
'cr#.####g2.amazontrust.com':80
'x.##2.us':80
'me###rikan.com':80
'dw##s.com':80
'ko###rmasi.com':80
'a.###.#loudflare.com':443
'st####e.ko-fi.com':443
'st####.##oudflareinsights.com':443
'a###ytics.google.com':443
'st###.#.doubleclick.net':443
'go##le.ru':443

TCP

HTTP GET requests

http://cr#.####g2.amazontrust.com/rootg2.cer
http://www.ko###rmasi.com/update/secure-smadav.txt/
http://x.##2.us/x.cer

HTTP POST requests

http://me###rikan.com/smadavstatssecn.php
http://dw##s.com/smadavstats27.php

Other

'co####.edge.skype.com':443
'cy###mania.ws':443
'go#####agmanager.com':443
'dr#######bidk.cloudfront.net':443
'a.###.#loudflare.com':443
'st####e.ko-fi.com':443
'st####.##oudflareinsights.com':443
'st###.#.doubleclick.net':443
'a###ytics.google.com':443
'go##le.ru':443

UDP

DNS ASK co####.edge.skype.com
DNS ASK cy###mania.ws
DNS ASK fo###.#oogleapis.com
DNS ASK go#####agmanager.com
DNS ASK dr#######bidk.cloudfront.net
DNS ASK cr#.####g2.amazontrust.com
DNS ASK x.##2.us
DNS ASK me###rikan.com
DNS ASK dw##s.com
DNS ASK ko###rmasi.com
DNS ASK a.###.#loudflare.com
DNS ASK st####e.ko-fi.com
DNS ASK st####.##oudflareinsights.com
DNS ASK di##ord.gg
DNS ASK pa##al.me
DNS ASK t.#e
DNS ASK yo##ube.com
DNS ASK a###ytics.google.com
DNS ASK st###.#.doubleclick.net
DNS ASK go##le.ru

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''
ClassName: '' WindowName: 'SmaRTP'
ClassName: 'ThunderRT6TextBox' WindowName: ''
ClassName: 'ThunderRT6Main' WindowName: 'S m a d a v '
ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'
ClassName: '' WindowName: 'SmadHook32'
ClassName: '' WindowName: 'SmadHook64'
ClassName: '' WindowName: 'Windows Script Host'

Creates and executes the following

'%TEMP%\rarsfx0\smadav2026rev1582.exe' /silent
'%TEMP%\is-bfekp.tmp\smadav2026rev1582.tmp' /SL5="$A02F2,6276255,133120,%TEMP%\RarSFX0\smadav2026rev1582.exe" /silent
'%ProgramFiles(x86)%\smadav\smδrtp.exe' rtc
'%ProgramFiles(x86)%\smadav\smadavprotect64.exe'

Executes the following

'%WINDIR%\syswow64\reg.exe' add "HKCU\Software\SMADΔV" /v "Name" /t REG_SZ /d "CyberMania" /f
'%WINDIR%\syswow64\reg.exe' add "HKCU\Software\SMADΔV" /v "Key" /t REG_SZ /d "991999609060" /f
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\SMADAV\SmadExtMenu64.dll"
'%WINDIR%\syswow64\rundll32.exe' url.dll, FileProtocolHandler "https://www.cybermania.ws"
'%WINDIR%\syswow64\schtasks.exe' /create /tn "smadav" /xml "%APPDATA%\Smadav\smadav.xml"
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument https://www.cybermania.ws/
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://www.cybermania.ws/
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\Smadav\SmadExtc64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\Smadav\SmadExtc64.dll"
'%WINDIR%\syswow64\schtasks.exe' /create /tn "SmadavSecondaryUpdater" /xml "%APPDATA%\Smadav\SmadavSecondaryUpdater.xml"
'%WINDIR%\syswow64\rundll32.exe' url.dll, FileProtocolHandler "https://www.cybermania.ws"' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /tn "smadav" /xml "%APPDATA%\Smadav\smadav.xml"' (with hidden window)
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument https://www.cybermania.ws/' (with hidden window)
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate https://www.cybermania.ws/' (with hidden window)
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\Smadav\SmadExtc64.dll"' (with hidden window)
'%WINDIR%\syswow64\schtasks.exe' /create /tn "SmadavSecondaryUpdater" /xml "%APPDATA%\Smadav\SmadavSecondaryUpdater.xml"' (with hidden window)

技术

术语

教育培训

误区

Technical Information

Curing recommendations

Free trial