Trojan.Siggen12.19010

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run] 'FsFM' = '"%ProgramFiles(x86)%\FsZip\FsFM.exe"-dv'

Creates or modifies the following files

<SYSTEM32>\tasks\fszip

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\Actinotity] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\Actinotity] 'ImagePath' = '%ProgramFiles(x86)%\Actinotity\Actinotity.exe'

Creates the following services

'Actinotity' %ProgramFiles(x86)%\Actinotity\Actinotity.exe

Modifies file system

Creates the following files

%ProgramFiles(x86)%\realinstall.exe
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\560.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\48x48logo.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\css\popup.css
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\css\normalize.css
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\background.html
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\560x350.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\48x48logo.png
%LOCALAPPDATA%\cp\��˵��.txt
%LOCALAPPDATA%\cp\ʱ��.crx
%LOCALAPPDATA%\cp\_metadata\verified_contents.json
%LOCALAPPDATA%\cp\_metadata\computed_hashes.json
%LOCALAPPDATA%\cp\popup.html
%LOCALAPPDATA%\cp\plugin.json
%LOCALAPPDATA%\cp\manifest.json
%LOCALAPPDATA%\cp\js\underscore.js
%LOCALAPPDATA%\cp\js\popup.js
%LOCALAPPDATA%\cp\js\main.js
%LOCALAPPDATA%\cp\js\jquery-1.10.1.min.js
%LOCALAPPDATA%\cp\js\background.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\560x350.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\icon-lo.png
%HOMEPATH%\temp\everything.exe
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\logo128.png
%HOMEPATH%\temp\client_cfg
%TEMP%\fz_9fa9.exe
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\��˵��.txt
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\ʱ��.crx
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\_metadata\verified_contents.json
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\_metadata\computed_hashes.json
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\popup.html
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\plugin.json
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\manifest.json
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\js\underscore.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\js\popup.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\js\main.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\js\jquery-1.10.1.min.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\js\background.js
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\tlogo.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\sleep4.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\sleep3.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\sleep2.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\sleep1.png
%LOCALAPPDATA%\cp\images\tlogo.png
%LOCALAPPDATA%\google\chrome\user data\default\extensions\dpkgdalmnhlpcmhcdegjmnljhjbbpojo\27.0.0.1_0\images\ban.png
%LOCALAPPDATA%\cp\images\sleep4.png
%APPDATA%\httpsvrt\config.ini
%ProgramFiles(x86)%\actinotity\actinotity.exe
%TEMP%\fz_b347.exe
%ProgramFiles(x86)%\fszip\config.ini
%ProgramFiles(x86)%\fszip\filereader.exe
%ProgramFiles(x86)%\fszip\uninstall.exe
%ProgramFiles(x86)%\fszip\fzcompression.exe
%ProgramFiles(x86)%\fszip\uninst000.exe
%ProgramFiles(x86)%\fszip\fs-zip64.dll
%TEMP%\nsba40d.tmp\system.dll
%ProgramFiles(x86)%\fszip\lang\zh-cn.txt
%ProgramFiles(x86)%\fszip\main.ico
%ProgramFiles(x86)%\fszip\7zcon.sfx
%ProgramFiles(x86)%\fszip\7z.sfx
%ProgramFiles(x86)%\fszip\7z.exe
%ProgramFiles(x86)%\fszip\fsg.exe
%ProgramFiles(x86)%\fszip\fsfm.exe
%ProgramFiles(x86)%\fszip\7z.dll
%ProgramFiles(x86)%\fszip\7zex.dll
%TEMP%\nsma1db.tmp
%APPDATA%\ftpyser\config.ini
%APPDATA%\ftpyser\kkt3_.7z
%LOCALAPPDATA%\cp\images\sleep2.png
%APPDATA%\ftpyser\eternity.exe
%LOCALAPPDATA%\cp\images\sleep1.png
%LOCALAPPDATA%\cp\images\logo128.png
%LOCALAPPDATA%\cp\images\icon-lo.png
%LOCALAPPDATA%\cp\images\ban.png
%LOCALAPPDATA%\cp\images\560x350.png
%LOCALAPPDATA%\cp\images\560.png
%LOCALAPPDATA%\cp\images\48x48logo.png
%LOCALAPPDATA%\cp\css\popup.css
%LOCALAPPDATA%\cp\css\normalize.css
%LOCALAPPDATA%\cp\background.html
%LOCALAPPDATA%\cp\560x350.png
%LOCALAPPDATA%\cp\48x48logo.png
%LOCALAPPDATA%\chromeplugin.zip
%LOCALAPPDATA%\plugin.dll
%APPDATA%\httpsvrt\npsty.dll
%APPDATA%\httpsvrt\unique.exe
%APPDATA%\httpsvrt\sophisticated.exe
%APPDATA%\httpsvrt\lcsjk.7z
%APPDATA%\ftpyser\liberty.exe
%LOCALAPPDATA%\cp\images\sleep3.png
%HOMEPATH%\temp\everything.ini

Deletes the following files

%TEMP%\nsba40d.tmp\system.dll
%ProgramFiles(x86)%\realinstall.exe
%APPDATA%\ftpyser\kkt3_.7z
%APPDATA%\httpsvrt\lcsjk.7z
%LOCALAPPDATA%\plugin.dll
%LOCALAPPDATA%\chromeplugin.zip
%APPDATA%\httpsvrt\npsty.dll

Modifies the following files

%LOCALAPPDATA%\google\chrome\user data\default\secure preferences
%LOCALAPPDATA%\google\chrome\user data\default\preferences

Network activity

Connects to

'fs.##.shiwan1688.cn':80
'to#####.box.720892.com':80
'fs.###.shiwan1688.cn':80
'nk##.#dLives.com':80

TCP

HTTP GET requests

http://fs.##.shiwan1688.cn/fszip/HatEditoreb.exe
http://fs.###.shiwan1688.cn/pinforesults.do?sc###############################################################################################
http://fs.##.shiwan1688.cn/fszip/myjfhgts.exe

UDP

DNS ASK fs.##.shiwan1688.cn
DNS ASK ba##u.com
DNS ASK to#####.box.720892.com
DNS ASK fs.###.shiwan1688.cn
DNS ASK nk##.#dLives.com

Miscellaneous

Searches for the following windows

ClassName: 'MS_WINHELP' WindowName: ''

Creates and executes the following

'%ProgramFiles(x86)%\realinstall.exe' /D=%ProgramFiles(x86)%\FsZip
'%APPDATA%\ftpyser\liberty.exe'
'%TEMP%\fz_9fa9.exe'
'%APPDATA%\httpsvrt\sophisticated.exe'
'%APPDATA%\httpsvrt\unique.exe'
'%ProgramFiles(x86)%\fszip\filereader.exe' -n 3028
'%TEMP%\fz_b347.exe'
'%TEMP%\fz_b347.exe' 2
'%ProgramFiles(x86)%\fszip\fzcompression.exe' -l
'%ProgramFiles(x86)%\fszip\fsfm.exe' -dv
'%ProgramFiles(x86)%\fszip\fzcompression.exe' -t
'%APPDATA%\ftpyser\eternity.exe'
'%WINDIR%\syswow64\sc.exe' create Actinotity binpath= "%ProgramFiles(x86)%\Actinotity\Actinotity.exe" start= auto' (with hidden window)
'%ProgramFiles(x86)%\realinstall.exe' /D=%ProgramFiles(x86)%\FsZip' (with hidden window)
'%TEMP%\fz_9fa9.exe' ' (with hidden window)
'%ProgramFiles(x86)%\fszip\fsfm.exe' -dv' (with hidden window)
'%TEMP%\fz_b347.exe' ' (with hidden window)
'%ProgramFiles(x86)%\fszip\fzcompression.exe' -t' (with hidden window)

Executes the following

'%WINDIR%\syswow64\regsvr32.exe' /u /s "%ProgramFiles(x86)%\FsZip\Fs-zip64.dll"
'<SYSTEM32>\regsvr32.exe' /u /s "%ProgramFiles(x86)%\FsZip\Fs-zip64.dll"
'%WINDIR%\syswow64\regsvr32.exe' /s "%ProgramFiles(x86)%\FsZip\Fs-zip64.dll"
'<SYSTEM32>\regsvr32.exe' /s "%ProgramFiles(x86)%\FsZip\Fs-zip64.dll"
'%WINDIR%\syswow64\sc.exe' create Actinotity binpath= "%ProgramFiles(x86)%\Actinotity\Actinotity.exe" start= auto

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial