Trojan.Siggen23.9248

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\kms\csrss.exe"'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'csrss' = '"C:\kms\csrss.exe"'
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\kms\csrss.exe"'
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe"'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'iexplore' = '"C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe"'
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\kms\csrss.exe", "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe"'
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%ProgramFiles%\Java\jre1.8.0_45\System.exe"'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'System' = '"%ProgramFiles%\Java\jre1.8.0_45\System.exe"'
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] 'Shell' = 'explorer.exe, "C:\kms\csrss.exe", "C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe", "%P...
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'firefox' = '"C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\firefox.exe"'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'firefox' = '"C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\firefox.exe"'
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run] 'audiodg' = '"%WINDIR%\ModemLogs\audiodg.exe"'
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] 'audiodg' = '"%WINDIR%\ModemLogs\audiodg.exe"'

Creates or modifies the following files

<SYSTEM32>\tasks\csrss
<SYSTEM32>\tasks\csrssc
<SYSTEM32>\tasks\iexplorei
<SYSTEM32>\tasks\systems
<SYSTEM32>\tasks\iexplore
<SYSTEM32>\tasks\audiodg
<SYSTEM32>\tasks\firefox
<SYSTEM32>\tasks\system
<SYSTEM32>\tasks\firefoxf
<SYSTEM32>\tasks\audiodga

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Task Manager (Taskmgr)

Modifies file system

Creates the following files

%APPDATA%\blockdriverintodll\blockcommon.exe
%WINDIR%\modemlogs\audiodg.exe
%WINDIR%\modemlogs\42af1c969fbb7b
%TEMP%\k0cbq2lp.0.cs
%TEMP%\k0cbq2lp.cmdline
%TEMP%\k0cbq2lp.out
%TEMP%\jlfpugegha
%TEMP%\stnb9oxyzm.bat
nul
%HOMEPATH%\desktop\mbrnfyca.log
%HOMEPATH%\desktop\hnclasgn.log
%HOMEPATH%\desktop\rlwhhoqz.log
%HOMEPATH%\desktop\gxsqxdvr.log
%HOMEPATH%\desktop\wyofklgn.log
%HOMEPATH%\desktop\crrfmrkb.log
%HOMEPATH%\desktop\tckvzray.log
%HOMEPATH%\desktop\rhozvtab.log
%HOMEPATH%\desktop\qmtesvaf.log
%HOMEPATH%\desktop\gdaoisux.log
%HOMEPATH%\desktop\fnqtedkb.log
%HOMEPATH%\desktop\mwdnlyzm.log
%HOMEPATH%\desktop\lgsshjpp.log
%HOMEPATH%\desktop\kqixeuet.log
%HOMEPATH%\desktop\bxqnqleq.log
%HOMEPATH%\desktop\zmumqtzp.log
%HOMEPATH%\desktop\rymcdtom.log
%HOMEPATH%\desktop\fuxrptjh.log
%HOMEPATH%\desktop\lcbwpsta.log
%HOMEPATH%\desktop\jrwfifih.log
%HOMEPATH%\desktop\wiwuuvnd.log
C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\0fc223bdacedc3
%HOMEPATH%\desktop\ggqparxo.log
C:\msocache\all users\{90140000-001a-0409-1000-0000000ff1ce}-c\firefox.exe
%ProgramFiles%\java\jre1.8.0_45\system.exe
%APPDATA%\blockdriverintodll\jjhf3v4cw86rspllwb9slfjnchicnfz.vbe
%APPDATA%\blockdriverintodll\qikx6izo2hu71.bat
%HOMEPATH%\desktop\vrsjgpwf.log
%HOMEPATH%\desktop\ahgatvjk.log
%HOMEPATH%\desktop\hptuzqyv.log
%HOMEPATH%\desktop\nxgoflog.log
%HOMEPATH%\desktop\eenescoc.log
%HOMEPATH%\desktop\nxwzyqio.log
%HOMEPATH%\desktop\kxqdvitr.log
%HOMEPATH%\desktop\ruedyxng.log
%HOMEPATH%\desktop\ysscamiu.log
%HOMEPATH%\desktop\neomqbnm.log
%HOMEPATH%\desktop\wxxhxoiy.log
%HOMEPATH%\desktop\vhnmtzxc.log
%HOMEPATH%\desktop\umrrqaxf.log
%HOMEPATH%\desktop\kszgcsxb.log
%HOMEPATH%\desktop\ixelztwf.log
%HOMEPATH%\desktop\auvwpahy.log
%HOMEPATH%\desktop\gxxpvmhi.log
%HOMEPATH%\desktop\nvlpybbx.log
%HOMEPATH%\desktop\kkgzrnqe.log
%HOMEPATH%\desktop\rhuyuclt.log
%HOMEPATH%\desktop\hjqoglvp.log
%HOMEPATH%\desktop\xaxywiqh.log
%HOMEPATH%\desktop\fdwyzgaw.log
C:\kms\csrss.exe
C:\kms\886983d96e3d3e
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\iexplore.exe
C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\9db6e019d4f04e
%ProgramFiles%\java\jre1.8.0_45\27d1bcfc3c54e0
%HOMEPATH%\desktop\ltiodomc.log

Deletes the following files

%TEMP%\k0cbq2lp.cmdline
%TEMP%\k0cbq2lp.out
%TEMP%\k0cbq2lp.0.cs
%TEMP%\jlfpugegha

Moves the following files

from %ProgramFiles%\microsoft office\office14\bcssync.exe to %ProgramFiles%\microsoft office\office14\bcssync.exe.exe

Network activity

Connects to

'21#.#26.100.235':80

TCP

HTTP POST requests

http://21#.#26.100.235/php/sqlimageDump/Proton/ToLocalExternal/TrafficUploads/Httpdownloads/ProcessBigloadlongpollUploads/videoTraffic/36ServerPipe/videowindowsTraffic.php

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%WINDIR%\syswow64\wscript.exe' "%APPDATA%\BlockDriverintoDll\JjhF3v4cw86rSpllWb9sLFJncHicnFz.vbe"
'%APPDATA%\blockdriverintodll\blockcommon.exe'
'C:\msocache\all users\{90140000-0115-0409-1000-0000000ff1ce}-c\1033\iexplore.exe'
'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\BlockDriverintoDll\qIKX6izO2hU71.bat" "' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\k0cbq2lp.cmdline"' (with hidden window)
'<SYSTEM32>\cmd.exe' /C "%TEMP%\stNB9OXyZm.bat"' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%APPDATA%\BlockDriverintoDll\qIKX6izO2hU71.bat" "
'<SYSTEM32>\cmd.exe' /C "%TEMP%\stNB9OXyZm.bat"
'<SYSTEM32>\schtasks.exe' /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'%WINDIR%\ModemLogs\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "audiodg" /sc ONLOGON /tr "'%WINDIR%\ModemLogs\audiodg.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'%WINDIR%\ModemLogs\audiodg.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\firefox.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "firefox" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\firefox.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "firefoxf" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-1000-0000000FF1CE}-C\firefox.exe'" /f
'<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'%ProgramFiles%\Java\jre1.8.0_45\System.exe'" /rl HIGHEST /f
'<SYSTEM32>\chcp.com' 65001
'<SYSTEM32>\schtasks.exe' /create /tn "System" /sc ONLOGON /tr "'%ProgramFiles%\Java\jre1.8.0_45\System.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplore" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "iexplorei" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-1000-0000000FF1CE}-C\1033\iexplore.exe'" /f
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\k0cbq2lp.cmdline"
'<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\kms\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrss" /sc ONLOGON /tr "'C:\kms\csrss.exe'" /rl HIGHEST /f
'<SYSTEM32>\schtasks.exe' /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\kms\csrss.exe'" /f
'%WINDIR%\syswow64\reg.exe' add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
'<SYSTEM32>\schtasks.exe' /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'%ProgramFiles%\Java\jre1.8.0_45\System.exe'" /f
'<SYSTEM32>\ping.exe' -n 10 localhost

Tecnologías

Términos

Formación y educación

Mitos

Technical Information

Curing recommendations

Free trial