Trojan.Siggen14.52081

Technical Information

Malicious functions

Reads files which store third party applications passwords

%LOCALAPPDATA%\google\chrome\user data\default\cookies
%LOCALAPPDATA%\google\chrome\user data\default\login data
%LOCALAPPDATA%\google\chrome\user data\default\web data
%APPDATA%\opera software\opera stable\login data

Modifies file system

Creates the following files

%TEMP%\$inst\2.tmp
%APPDATA%\gillmeister software\expert workshop\transponders\all.list
%APPDATA%\gillmeister software\expert workshop\themes\default.css
%APPDATA%\gillmeister software\expert workshop\themes\cosmo.css
%APPDATA%\gillmeister software\expert workshop\qt5serialport.dll
%APPDATA%\gillmeister software\expert workshop\qt5quickwidgets.dll
%APPDATA%\gillmeister software\expert workshop\mathtree.dll
%APPDATA%\gillmeister software\expert workshop\localization\turkish.txt
%APPDATA%\gillmeister software\expert workshop\localization\swedish.txt
%APPDATA%\gillmeister software\expert workshop\localization\spanish.txt
%APPDATA%\gillmeister software\expert workshop\localization\slovak.txt
%APPDATA%\gillmeister software\expert workshop\transponders\cabfiles\all.list
%APPDATA%\gillmeister software\expert workshop\transponders\atsc\list.txt
%APPDATA%\gillmeister software\expert workshop\localization\polish.txt
%APPDATA%\gillmeister software\expert workshop\localization\lithuanian.txt
%APPDATA%\gillmeister software\expert workshop\localization\italian.txt
%APPDATA%\gillmeister software\expert workshop\localization\hebrew.txt
%APPDATA%\gillmeister software\expert workshop\localization\greek.txt
%APPDATA%\gillmeister software\expert workshop\localization\german.txt
%APPDATA%\gillmeister software\expert workshop\localization\french.txt
%APPDATA%\gillmeister software\expert workshop\localization\english.txt
%APPDATA%\gillmeister software\expert workshop\localization\czech.txt
%APPDATA%\gillmeister software\expert workshop\localization\croatian.txt
%APPDATA%\gillmeister software\expert workshop\localization\serbian(lat).txt
%APPDATA%\gillmeister software\expert workshop\lang\es\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\transponders\iptv\rostelecom.m3u
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\3ccd5499-87a8-4b10-a215-608888dd3b55.vsch
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\policy.vpol
%APPDATA%\thunderbird\profiles\wjj9aet2.default\places.sqlite-shm
%APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite-shm
%ALLUSERSPROFILE%\vcruntime140.dll
%ALLUSERSPROFILE%\softokn3.dll
%ALLUSERSPROFILE%\nss3.dll
%ALLUSERSPROFILE%\msvcp140.dll
%ALLUSERSPROFILE%\mozglue.dll
%ALLUSERSPROFILE%\freebl3.dll
%APPDATA%\gillmeister software\expert workshop\bsriec26
%APPDATA%\gillmeister software\expert workshop\aieukngl
%APPDATA%\gillmeister software\expert workshop\eus26p89
%APPDATA%\gillmeister software\expert workshop\aaa1ngvk
%APPDATA%\gillmeister software\expert workshop\e37900zu
%APPDATA%\gillmeister software\expert workshop\jectject
%APPDATA%\gillmeister software\expert workshop\mgdjmo8g
%APPDATA%\gillmeister software\expert workshop\fus2nopz
%ALLUSERSPROFILE%\sqlite3.dll
%APPDATA%\gillmeister software\expert workshop\uninstall.ini
%APPDATA%\gillmeister software\expert workshop\uninstall.exe
%APPDATA%\gillmeister software\expert workshop\vsexpert.exe
%APPDATA%\gillmeister software\expert workshop\utilslib.dll
%APPDATA%\gillmeister software\expert workshop\localization\chinese.txt
%APPDATA%\gillmeister software\expert workshop\localization\portuguese.txt
%APPDATA%\gillmeister software\expert workshop\localization\bulgarian.txt
%APPDATA%\gillmeister software\expert workshop\libplist.dll
%APPDATA%\gillmeister software\expert workshop\liborc-test-0.4-0.dll
%APPDATA%\gillmeister software\expert workshop\images\icon.png
%APPDATA%\gillmeister software\expert workshop\lang\en\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\lang\en\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\en\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\lang\en\searchhelp.rtf
%APPDATA%\gillmeister software\expert workshop\lang\en\phototheca eula.rtf
%APPDATA%\gillmeister software\expert workshop\lang\de\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\lang\de\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\de\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\lang\de\searchhelp.rtf
%APPDATA%\gillmeister software\expert workshop\lang\de\phototheca eula.rtf
%APPDATA%\gillmeister software\expert workshop\images\exeicon.png
%APPDATA%\gillmeister software\expert workshop\lang\es\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\images\app_plugin_control_32.png
%APPDATA%\gillmeister software\expert workshop\images\app_plugin_control_16.png
%APPDATA%\gillmeister software\expert workshop\fonts\license.txt
%APPDATA%\gillmeister software\expert workshop\fonts\font awesome 5 free-regular-400.otf
%APPDATA%\gillmeister software\expert workshop\devexpress.sparkline.v14.2.core.dll
%APPDATA%\gillmeister software\expert workshop\commonmanaged.dll
%APPDATA%\gillmeister software\expert workshop\cds.xml
%APPDATA%\gillmeister software\expert workshop\bzip2.dll
%APPDATA%\gillmeister software\expert workshop\7-zip.dll
%TEMP%\$inst\temp_0.tmp
%ALLUSERSPROFILE%\microsoft\vault\ac658cb4-9126-49bd-b877-31eedab3f204\2f1a6504-0641-44cf-8bb5-3612d865f2e5.vsch
%APPDATA%\gillmeister software\expert workshop\transponders\terfiles\all.list
%APPDATA%\gillmeister software\expert workshop\lang\es\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\fr\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\lang\es\searchhelp.rtf
%APPDATA%\gillmeister software\expert workshop\libmms-0.dll
%APPDATA%\gillmeister software\expert workshop\libgstsdp-1.0-0.dll
%APPDATA%\gillmeister software\expert workshop\libgstriff-1.0-0.dll
%APPDATA%\gillmeister software\expert workshop\libgstfft-1.0-0.dll
%APPDATA%\gillmeister software\expert workshop\libgstcontroller-1.0-0.dll
%APPDATA%\gillmeister software\expert workshop\libgstapp-1.0-0.dll
%APPDATA%\gillmeister software\expert workshop\libgpg-error-0.dll
%APPDATA%\gillmeister software\expert workshop\libftype-5.dll
%APPDATA%\gillmeister software\expert workshop\libffi-6.dll
%APPDATA%\gillmeister software\expert workshop\libegl.dll
%APPDATA%\gillmeister software\expert workshop\libchromaprint.dll
%APPDATA%\gillmeister software\expert workshop\lang\pl\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\lang\pl\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\pl\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\lang\pl\searchhelp.rtf
%APPDATA%\gillmeister software\expert workshop\lang\it\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\lang\it\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\it\xml_menu.xml
%APPDATA%\gillmeister software\expert workshop\lang\it\searchhelp.rtf
%APPDATA%\gillmeister software\expert workshop\lang\it\phototheca eula.rtf
%APPDATA%\gillmeister software\expert workshop\lang\fr\xml_menucontext_treeview.xml
%APPDATA%\gillmeister software\expert workshop\lang\fr\xml_menucontext_thumbview.xml
%APPDATA%\gillmeister software\expert workshop\lang\fr\searchhelp.rtf
%LOCALAPPDATA%\microsoft\vault\4bf4c442-9b8a-41a0-b380-dd4a704ddb28\policy.vpol

Deletes the following files

%TEMP%\$inst\temp_0.tmp
%ALLUSERSPROFILE%\softokn3.dll
%ALLUSERSPROFILE%\nss3.dll
%ALLUSERSPROFILE%\msvcp140.dll
%ALLUSERSPROFILE%\mozglue.dll
%ALLUSERSPROFILE%\freebl3.dll
%ALLUSERSPROFILE%\sqlite3.dll
%APPDATA%\thunderbird\profiles\wjj9aet2.default\places.sqlite-shm
%APPDATA%\thunderbird\profiles\wjj9aet2.default\cookies.sqlite-shm
%APPDATA%\gillmeister software\expert workshop\bsriec26
%APPDATA%\gillmeister software\expert workshop\aieukngl
%APPDATA%\gillmeister software\expert workshop\eus26p89
%APPDATA%\gillmeister software\expert workshop\aaa1ngvk
%APPDATA%\gillmeister software\expert workshop\e37900zu
%APPDATA%\gillmeister software\expert workshop\jectject
%APPDATA%\gillmeister software\expert workshop\mgdjmo8g
%APPDATA%\gillmeister software\expert workshop\fus2nopz
%TEMP%\$inst\2.tmp
%ALLUSERSPROFILE%\vcruntime140.dll
%APPDATA%\gillmeister software\expert workshop\vsexpert.exe

Modifies the following files

Substitutes the following files

%APPDATA%\gillmeister software\expert workshop\aaa1ngvk

Network activity

Connects to

'an###vaaq.xyz':80

TCP

HTTP GET requests

http://an###vaaq.xyz/public/freebl3.dll
http://an###vaaq.xyz/public/mozglue.dll
http://an###vaaq.xyz/public/msvcp140.dll
http://an###vaaq.xyz/public/nss3.dll
http://an###vaaq.xyz/public/softokn3.dll
http://an###vaaq.xyz/public/vcruntime140.dll
http://an###vaaq.xyz/public/sqlite3.dll

UDP

DNS ASK an###vaaq.xyz

Miscellaneous

Creates and executes the following

'%APPDATA%\gillmeister software\expert workshop\vsexpert.exe'
'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%APPDATA%\Gillmeister Software\Expert Workshop\vsexpert.exe" & exit' (with hidden window)

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%APPDATA%\Gillmeister Software\Expert Workshop\vsexpert.exe" & exit
'%WINDIR%\syswow64\timeout.exe' /t 5

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial