Trojan.Siggen27.25770

Technical Information

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

adds antivirus exclusion with following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{1343C2EC-323E-4753-91BF-39D71F534FE4}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''

Executes the following

'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul
'%WINDIR%\syswow64\taskkill.exe' /im "vquPdBElcssy3iCzVw6vSorX.exe" /f

Modifies file system

Creates the following files

<SYSTEM32>\grouppolicy\gpt.ini
<SYSTEM32>\grouppolicy\machine\registry.pol
%ALLUSERSPROFILE%\ntuser.pol
%HOMEPATH%\documents\guardfox\oksfr0mdq2qihhp5sxkzyv_6.exe
%HOMEPATH%\documents\guardfox\vqupdbelcssy3iczvw6vsorx.exe
%HOMEPATH%\documents\guardfox\mppdpx33rrawwsuwk4vuixvk.exe
%HOMEPATH%\documents\guardfox\aa7mkoezov7nqtrzyjb0qb5u.exe
%HOMEPATH%\documents\guardfox\vlpc9bwuc6ke9fnyfha8omk0.exe
%HOMEPATH%\documents\guardfox\f9x3u8kmebbfav9uzzijlxrd.exe
%HOMEPATH%\documents\guardfox\20jvkjsgvw3eip5pspwxdmoo.exe
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\cookies.sqlite-shm
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\places.sqlite-shm

Deletes the following files

%APPDATA%\thunderbird\profiles\chdgbv82.default-release\cookies.sqlite-shm
%APPDATA%\thunderbird\profiles\chdgbv82.default-release\places.sqlite-shm
%HOMEPATH%\documents\guardfox\vqupdbelcssy3iczvw6vsorx.exe
%HOMEPATH%\documents\guardfox\mppdpx33rrawwsuwk4vuixvk.exe
%HOMEPATH%\documents\guardfox\oksfr0mdq2qihhp5sxkzyv_6.exe

Modifies the following files

Network activity

Connects to

'19#.#0.16.45':80
'bi###cket.org':80
'me######rkdkcodlskeej.net':80
'tr####hicken.net':443
'29#####amptometer.sbs':443
'se###yle.org':443
'vk.com':443
'mo###locked.com':443
'17#.#13.115.135':80
'me######rkdkcodlskeej.net':443
'bi###cket.org':443
'45.##.200.145':8088
'pk#.goog':80
'microsoft.com':80
'x1.#.lencr.org':80
'mo###locked.com':80
'se###yle.org':80
'14#.#5.47.93':30487
'ro##.newbond.su':80
'45.##.200.145':80
'tr####hicken.net':80
'vk.com':80
'29#####amptometer.sbs':80
'14#.#5.47.93':80
'cc##k.com':80
'18#.#72.128.187':80
'5.##.65.115':80
'19#.#0.16.46':80
'db##p.com':443
'ip##fo.io':443
'ap###.ipify.org':443
'ap#.#yip.com':443
'x2.#.lencr.org':80
'r3.#.lencr.org':80

TCP

HTTP GET requests

http://19#.#0.16.45/api/bing_release.php
http://5.##.65.115/download.php?pu######
http://18#.#72.128.187/timeSync.exe
http://17#.#13.115.135/byer
http://14#.##.47.93:30487/zigma/kefir.exe via 14#.#5.47.93
http://19#.#0.16.46/download/123p.exe
http://ro##.newbond.su/data/pdf/june.exe
http://45.##.200.145:8088/blue.exe via 45.##.200.145
http://cc##k.com/cc/index.php
http://pk#.goog/gsr1/gsr1.crt
http://29#####amptometer.sbs/bjhgvfd
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
http://x1.#.lencr.org/
http://r3.#.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg%2ByvTLU%2Fw3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h%2BvnYsUwsYCEgTrJTYqbb9pcxBVUikMZti7vw%3D%3D
http://x2.#.lencr.org/

Other

'ap#.#yip.com':443
'bi###cket.org':443
'vk.com':443
'29#####amptometer.sbs':443
'se###yle.org':443
'me######rkdkcodlskeej.net':80
'tr####hicken.net':443
'mo###locked.com':443
'mo###locked.com':80
'vk.com':80
'se###yle.org':80
'tr####hicken.net':80
'db##p.com':443
'ip##fo.io':443
'ap###.ipify.org':443
'bi###cket.org':80
'me######rkdkcodlskeej.net':443

UDP

DNS ASK ap#.#yip.com
DNS ASK x1.#.lencr.org
DNS ASK microsoft.com
DNS ASK pk#.goog
DNS ASK me######rkdkcodlskeej.net
DNS ASK mo###locked.com
DNS ASK bi###cket.org
DNS ASK se###yle.org
DNS ASK cc##k.com
DNS ASK ro##.newbond.su
DNS ASK vk.com
DNS ASK tr####hicken.net
DNS ASK 29#####amptometer.sbs
DNS ASK db##p.com
DNS ASK ip##fo.io
DNS ASK ap###.ipify.org
DNS ASK r3.#.lencr.org
DNS ASK x2.#.lencr.org

Miscellaneous

Creates and executes the following

'%HOMEPATH%\documents\guardfox\20jvkjsgvw3eip5pspwxdmoo.exe'
'%HOMEPATH%\documents\guardfox\mppdpx33rrawwsuwk4vuixvk.exe'
'%HOMEPATH%\documents\guardfox\aa7mkoezov7nqtrzyjb0qb5u.exe'
'%HOMEPATH%\documents\guardfox\f9x3u8kmebbfav9uzzijlxrd.exe'
'%HOMEPATH%\documents\guardfox\oksfr0mdq2qihhp5sxkzyv_6.exe'
'%HOMEPATH%\documents\guardfox\vqupdbelcssy3iczvw6vsorx.exe'
'%HOMEPATH%\documents\guardfox\vlpc9bwuc6ke9fnyfha8omk0.exe'
'%HOMEPATH%\documents\guardfox\vlpc9bwuc6ke9fnyfha8omk0.exe' ' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
'%WINDIR%\syswow64\sc.exe' start buepqljz' (with hidden window)
'%HOMEPATH%\documents\guardfox\20jvkjsgvw3eip5pspwxdmoo.exe' ' (with hidden window)
'%WINDIR%\syswow64\sc.exe' create buepqljz binPath= "%WINDIR%\SysWOW64\buepqljz\fibmmvww.exe /d\"%HOMEPATH%\Documents\GuardFox\mpPDPx33RraWwSuwk4vuIxVk.exe\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\fibmmvww.exe" %WINDIR%\SysWOW64\buepqljz\' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c taskkill /im "vquPdBElcssy3iCzVw6vSorX.exe" /f & erase "%HOMEPATH%\Documents\GuardFox\vquPdBElcssy3iCzVw6vSorX.exe" & exit' (with hidden window)
'%HOMEPATH%\documents\guardfox\mppdpx33rrawwsuwk4vuixvk.exe' ' (with hidden window)
'%HOMEPATH%\documents\guardfox\oksfr0mdq2qihhp5sxkzyv_6.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\buepqljz\' (with hidden window)
'%HOMEPATH%\documents\guardfox\aa7mkoezov7nqtrzyjb0qb5u.exe' ' (with hidden window)
'%HOMEPATH%\documents\guardfox\f9x3u8kmebbfav9uzzijlxrd.exe' ' (with hidden window)
'%HOMEPATH%\documents\guardfox\vqupdbelcssy3iczvw6vsorx.exe' ' (with hidden window)
'%WINDIR%\syswow64\sc.exe' description buepqljz "wifi internet conection"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%HOMEPATH%\Documents\GuardFox\oKSFr0mDQ2QiHhP5SXKzyV_6.exe" & del "%ALLUSERSPROFILE%\*.dll"" & exit' (with hidden window)

Executes the following

'<SYSTEM32>\svchost.exe' -k secsvcs
'<SYSTEM32>\sc.exe' start "PHSWJLZY"
'%WINDIR%\syswow64\svchost.exe'
'<SYSTEM32>\sc.exe' create "PHSWJLZY" binpath= "%ALLUSERSPROFILE%\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
'%WINDIR%\syswow64\timeout.exe' /t 5
'<SYSTEM32>\sc.exe' delete "PHSWJLZY"
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-dc 0
'<SYSTEM32>\powercfg.exe' /x -standby-timeout-ac 0
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-dc 0
'<SYSTEM32>\powercfg.exe' /x -hibernate-timeout-ac 0
'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%HOMEPATH%\Documents\GuardFox\oKSFr0mDQ2QiHhP5SXKzyV_6.exe" & del "%ALLUSERSPROFILE%\*.dll"" & exit
'%WINDIR%\syswow64\cmd.exe' /c taskkill /im "vquPdBElcssy3iCzVw6vSorX.exe" /f & erase "%HOMEPATH%\Documents\GuardFox\vquPdBElcssy3iCzVw6vSorX.exe" & exit
'%WINDIR%\syswow64\sc.exe' start buepqljz
'%WINDIR%\syswow64\sc.exe' description buepqljz "wifi internet conection"
'%WINDIR%\syswow64\sc.exe' create buepqljz binPath= "%WINDIR%\SysWOW64\buepqljz\fibmmvww.exe /d\"%HOMEPATH%\Documents\GuardFox\mpPDPx33RraWwSuwk4vuIxVk.exe\"" type= own start= auto DisplayName= "wifi support"
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\fibmmvww.exe" %WINDIR%\SysWOW64\buepqljz\
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\buepqljz\
'<SYSTEM32>\raserver.exe' /offerraupdate
'<SYSTEM32>\sc.exe' stop eventlog
'<SYSTEM32>\svchost.exe'

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial