Trojan.Siggen10.6572

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKLM>\Software\Classes\inffile\shell\open\command] '' = '<SYSTEM32>\NOTEPAD.EXE %1'

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\LDrvSvc] 'ImagePath' = '<SYSTEM32>\svchost.exe -k LocalDriverService'
[<HKLM>\SYSTEM\CurrentControlSet\Services\LDrvSvc] 'Start' = '00000002'
[<HKLM>\SYSTEM\CurrentControlSet\Services\LDrvSvc\Parameters] 'ServiceDll' = '%TEMP%\7ZipSfx.000\LDrvSvc.dll'
[<HKLM>\System\CurrentControlSet\Services\Wlansvc] 'Start' = '00000002'

Creates the following services

'LDrvSvc' <SYSTEM32>\svchost.exe -k LocalDriverService

Modifies file system

Creates the following files

%TEMP%\7zipsfx.000\autosetup\filter.proc
%TEMP%\7zipsfx.000\pcid.dll
%TEMP%\7zipsfx.000\p2spd.dll
%TEMP%\7zipsfx.000\monreboot.dll
%TEMP%\7zipsfx.000\libcurl.dll
%TEMP%\7zipsfx.000\ldrvsvc.dll
%TEMP%\7zipsfx.000\ldrvpro.sys
%TEMP%\7zipsfx.000\gzipdll.dll
%TEMP%\7zipsfx.000\feedback.dll
%TEMP%\7zipsfx.000\dtl_drvprotect.exe
%TEMP%\7zipsfx.000\dtlupdater\dtlupg.exe
%TEMP%\7zipsfx.000\dtlupdater\checkupdate.dll
%TEMP%\7zipsfx.000\dtluninst.dll
%TEMP%\7zipsfx.000\dtlui.dll
%TEMP%\7zipsfx.000\dtlservice.exe
%TEMP%\7zipsfx.000\dtlnetdevice.dll
%TEMP%\7zipsfx.000\dtldrvcheck.dll
%TEMP%\7zipsfx.000\dtldrvuninst.dll
%TEMP%\7zipsfx.000\pcidetect.dll
%TEMP%\7zipsfx.000\pcidrv.dll
D:\dtlfolder\driversdownload\downloadinfo.db-journal
%PROGRAMDATA%\drivethelife2013\backuplist.dat
%APPDATA%\drivethelife2013\dtlconfig\wndconfigdata.xml
%APPDATA%\drivethelife2013\dtlconfig\userconfig.dat
%APPDATA%\drivethelife2013\dtlconfig\unsetup.xml
%APPDATA%\drivethelife2013\dtlconfig\dtlsetup.xml
%APPDATA%\drivethelife2013\dtlconfig\all_in_one_machine_cpu_moudle.xml
%TEMP%\7zipsfx.000\uninstall.exe
%TEMP%\7zipsfx.000\download\xlbughandler.dll
%TEMP%\7zipsfx.000\uninstall.dll
%TEMP%\7zipsfx.000\uninst.exe
%TEMP%\7zipsfx.000\uninst.dll
%TEMP%\7zipsfx.000\udp.dll
%TEMP%\7zipsfx.000\substat.dll
%TEMP%\7zipsfx.000\sqlite3.dll
%TEMP%\7zipsfx.000\pnpdrv.dll
%TEMP%\7zipsfx.000\dtlautosetup.dll
%TEMP%\7zipsfx.000\dstudp.dll
%TEMP%\7zipsfx.000\drvsrc.dll
%TEMP%\7zipsfx.000\uninst.dar0
%TEMP%\7zipsfx.000\skin\ad_image\ad.xml
%TEMP%\7zipsfx.000\skin\ad_image\20150120wan.jpg
%TEMP%\7zipsfx.000\skin\ad_image\20150120rili.jpg
%TEMP%\7zipsfx.000\skin\ad_image\20150120160wifi.jpg
%TEMP%\7zipsfx.000\lan\lan.xml
%TEMP%\7zipsfx.000\lan\chinese.ini
%TEMP%\7zipsfx.000\dtlconfig\wndconfigdata.xml
%TEMP%\7zipsfx.000\dtlconfig\userconfig.dat
%TEMP%\7zipsfx.000\dtlconfig\unsetup.xml
%TEMP%\7zipsfx.000\dtlconfig\dtlsetup.xml
%TEMP%\7zipsfx.000\dtlconfig\all_in_one_machine_cpu_moudle.xml
%TEMP%\7zipsfx.000\dtl.cmd
%TEMP%\7zipsfx.000\download\id.dat
%TEMP%\7zipsfx.000\7z.dll
%TEMP%\7zipsfx.000\appconfig.dll
%TEMP%\7zipsfx.000\uninst.dar1
%TEMP%\7zipsfx.000\devcfg.dll
%TEMP%\7zipsfx.000\drvget.dll
%TEMP%\7zipsfx.000\difxapi.dll
%TEMP%\7zipsfx.000\drvbak.dll
%TEMP%\7zipsfx.000\drvallrepair.dll
%TEMP%\7zipsfx.000\drv64\drv64.exe
%TEMP%\7zipsfx.000\drv64\difxapi.dll
%TEMP%\7zipsfx.000\drivethelife.exe
%TEMP%\7zipsfx.000\download\zlib1.dll
%TEMP%\7zipsfx.000\xldl.dll
D:\dtlfolder\driversdownload\downloadinfo.db
%TEMP%\7zipsfx.000\download\msvcr71.dll
%TEMP%\7zipsfx.000\download\msvcp71.dll
%TEMP%\7zipsfx.000\download\minizip.dll
%TEMP%\7zipsfx.000\download\minithunderplatform.exe
%TEMP%\7zipsfx.000\download\download_engine.dll
%TEMP%\7zipsfx.000\download\dl_peer_id.dll
%TEMP%\7zipsfx.000\download\atl71.dll
%TEMP%\7zipsfx.000\download\xlbugreport.exe
%TEMP%\7zipsfx.000\skin\ad_image\adtemp.xml

Deletes the following files

D:\dtlfolder\driversdownload\downloadinfo.db-journal

Substitutes the following files

D:\dtlfolder\driversdownload\downloadinfo.db-journal

Network activity

TCP

HTTP GET requests

http://in#.#pdrv.com/dtl/BloodEnrich.ashx?a=###################################################################
http://in#.#pdrv.com/service/DTLGetImgUrl.ashx?Co######################
http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt

HTTP POST requests

http://in#.#pdrv.com/feed/UpdrvFeedBack.aspx

UDP

DNS ASK in#.#pdrv.com
DNS ASK dt####ate.updrv.com
DNS ASK on#####.integrate.updrv.com
DNS ASK microsoft.com
DNS ASK di######.integrate.updrv.com
DNS ASK di####ch.updrv.com
DNS ASK in#.####behavior.updrv.com
DNS ASK ds####h1.updrv.com
DNS ASK ha#####rl1.updrv.com
DNS ASK in#.###ong.updrv.com
DNS ASK lo####.updrv.com
DNS ASK pl####1.updrv.com
'di####ch.updrv.com':7000
'on#####.integrate.updrv.com':6000
'di####ch.updrv.com':3000
'dt####ate.updrv.com':8080
'di######.integrate.updrv.com':3800
'di####ch.updrv.com':4300
'in#.####behavior.updrv.com':6130

Miscellaneous

Searches for the following windows

ClassName: 'TrayTool' WindowName: ''
ClassName: 'DTL6_DrvProtect' WindowName: ''

Creates and executes the following

'%TEMP%\7zipsfx.000\drivethelife.exe'
'%TEMP%\7zipsfx.000\dtl_drvprotect.exe' -stmsg 655908
'%TEMP%\7zipsfx.000\dtl_drvprotect.exe' -stmsg 655908' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\7ZipSfx.000\dtl.cmd" "
'%WINDIR%\syswow64\rundll32.exe' "%TEMP%\7ZipSfx.000\pcidetect.dll",HDRundllDetect
'%WINDIR%\syswow64\svchost.exe' -k LocalDriverService

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial