Trojan.Siggen21.14304

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\powercontrol hr

Sets the following service settings

[HKLM\System\CurrentControlSet\Services\jqprxthb] 'Start' = '00000002'
[HKLM\System\CurrentControlSet\Services\jqprxthb] 'ImagePath' = '%WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe /d"%HOMEPATH%\Pictures\Minor Policy\YamgqxiG6kG_Lwy6WGfdNOEp.exe"'
[HKLM\SYSTEM\CurrentControlSet\services\jqprxthb] 'ImagePath' = '%WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe'

Creates the following services

'jqprxthb' %WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe /d"%HOMEPATH%\Pictures\Minor Policy\YamgqxiG6kG_Lwy6WGfdNOEp.exe"
'jqprxthb' %WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe

Malicious functions

To complicate detection of its presence in the operating system,

blocks execution of the following system utilities:

Windows Defender

adds antivirus exclusion with following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3C34782F-1DC9-4308-B229-6748533AE35E}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{3E38AA3A-ECC4-4D18-8F36-F0D82C7F1C0F}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{C53503E0-3926-48D8-AF05-2EC500EF24A1}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions] 'exe' = ''

Executes the following

'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul

Injects code into

the following system processes:

%WINDIR%\syswow64\svchost.exe

Modifies file system

Creates the following files

<SYSTEM32>\grouppolicy\gpt.ini
%TEMP%\ixp003.tmp\b4961141.exe
%TEMP%\ixp003.tmp\a2849708.exe
%WINDIR%\syswow64\grouppolicy\gpt.ini
%TEMP%\ixp002.tmp\c6303691.exe
%TEMP%\ixp002.tmp\v1801036.exe
%TEMP%\wddjjsj.cpl
%TEMP%\ixp001.tmp\d4701627.exe
%TEMP%\ixp001.tmp\v5090711.exe
%TEMP%\ixp000.tmp\e2100272.exe
%TEMP%\ixp000.tmp\v5453298.exe
%TEMP%\ecmnplou.exe
%HOMEPATH%\pictures\minor policy\6fu8cvscktuefkawfhsro0ta.exe
%HOMEPATH%\pictures\minor policy\ia1i4ts4_eecyhkjdnrs8rjb.exe
%HOMEPATH%\pictures\minor policy\upjve1zuxijukpqgwcynxidt.exe
%ProgramFiles(x86)%\powercontrol\powercontrol_svc.exe
%HOMEPATH%\pictures\minor policy\fcha0r90pwte0ktuden8pohh.exe
%HOMEPATH%\pictures\minor policy\nfmr_0ubt6uh_7vfsxqdaopq.exe
%HOMEPATH%\pictures\minor policy\jgevcqk4gts5ysjdg4mhy5ym.exe
%HOMEPATH%\pictures\minor policy\o5puengrp5lrisgg2jc3sscs.exe
%HOMEPATH%\pictures\minor policy\y7uqpsxbjffzbckcusro0010.exe
%HOMEPATH%\pictures\minor policy\s3dhieaaaxwmv2vqbail4wx8.exe
%HOMEPATH%\pictures\minor policy\yamgqxig6kg_lwy6wgfdnoep.exe
%HOMEPATH%\pictures\minor policy\kovh8f_0t7ecjmsocw9tpsai.exe
%HOMEPATH%\pictures\minor policy\omtdwkfpeghzsvj4uhydkvp7.exe
%HOMEPATH%\pictures\minor policy\yqvp2ccztxtth547hpmhn6ks.exe
%HOMEPATH%\pictures\minor policy\2gj8ce377awqnylcqxm8m4x8.exe
%HOMEPATH%\pictures\minor policy\2ejh9xmo5o_durpa4mauuujn.exe
%HOMEPATH%\pictures\minor policy\orq5sfybrrqadqowbuufiwqm.exe
%ALLUSERSPROFILE%\ntuser.pol
<SYSTEM32>\grouppolicy\machine\registry.pol
%HOMEPATH%\pictures\minor policy\xb1imy4ojdxpderyrrzcmoc8.exe
%HOMEPATH%\documents\baiamad3rmzfqs3d3y5eisrw.exe

Sets the 'hidden' attribute to the following files

%ALLUSERSPROFILE%\tempntuser.pol

Deletes the following files

%ALLUSERSPROFILE%\tempntuser.pol
%HOMEPATH%\pictures\minor policy\s3dhieaaaxwmv2vqbail4wx8.exe
%HOMEPATH%\pictures\minor policy\yamgqxig6kg_lwy6wgfdnoep.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\siddharthabuddh4_5[1].bmp
%HOMEPATH%\pictures\minor policy\2ejh9xmo5o_durpa4mauuujn.exe
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\0y9o17dr\pmmp[1].bmp
%LOCALAPPDATA%\microsoft\windows\<INETFILES>\content.ie5\qkr46vql\okka25[1].exe

Moves the following files

from %ALLUSERSPROFILE%\ntuser.pol to %ALLUSERSPROFILE%\tempntuser.pol
from %TEMP%\ecmnplou.exe to %WINDIR%\syswow64\jqprxthb\ecmnplou.exe

Substitutes the following files

%ALLUSERSPROFILE%\ntuser.pol
%ALLUSERSPROFILE%\tempntuser.pol

Network activity

Connects to

'94.##2.138.131':80
'us.###jeoigaa.com':80
'ip##s.ru':443
'ip###ger.org':443
'19#.#69.175.128':50500
'te###ram.org':443
'ad####nclaeys.top':80
'x1.#.lencr.org':80
'x2.#.lencr.org':80
'db##p.com':443
'aa.###jeoogbb.com':80
'dz#n.ru':443
'85.##8.136.10':80
'45.##.156.229':80
'ap#.#b-ip.com':443
'ma##ind.com':80
'tw##ter.com':443
'yandex.ru':443
'ap#.#yip.com':80
'ps##.#serapi.com':443
'95.##4.25.207':3002
'ip##fo.io':443
'vk.com':80
'vk.com':443
'16#.#23.143.4':80
'95.##4.25.207':80
'77.##.124.231':80
'17#.#13.115.84':80
'ap#.#yip.com':443
'87.##1.221.58':80
'bu###l.store':80
'zz#.##auiehgha.com':80
're###oot.top':80
'bu###l.store':443
'su####4.userapi.com':443
'su####7.userapi.com':443
'17#.#13.115.84':8080
'hu##rsi.com':80
'ma##ind.com':443
'mi##########m.mail.protection.outlook.com':25

TCP

HTTP GET requests

http://77.##.124.231/info/photo443.exe
http://www.ma##ind.com/geoip/v2.1/city/me
http://45.##.156.229/api/tracemap.php
http://aa.###jeoogbb.com/check/safe
http://ad####nclaeys.top/412a0310f85f16ad/sqlite3.dll
http://us.###jeoigaa.com/sts/imagc.jpg
http://x2.#.lencr.org/
http://94.##2.138.131/api/tracemap.php
http://x1.#.lencr.org/
http://17#.##3.115.84:8080/4.php via 17#.#13.115.84
http://zz#.##auiehgha.com/m/okka25.exe
http://re###oot.top/calc2.exe
http://16#.#23.143.4/download/Service32.exe
http://87.##1.221.58/g.exe
http://hu##rsi.com/dl/6523.exe
http://95.###.25.207:3002/file.exe via 95.##4.25.207
http://16#.#23.143.4/download/WWW14_64.exe

Other

'ap#.#yip.com':443
'dz#n.ru':443
'yandex.ru':443
'tw##ter.com':443
'te###ram.org':443
'19#.#69.175.128':50500
'ip###ger.org':443
'ip##s.ru':443
'ps##.#serapi.com':443
'su####7.userapi.com':443
'su####4.userapi.com':443
'bu###l.store':443
'bu###l.store':80
'vk.com':443
'vk.com':80
'ip##fo.io':443
'sso.passport.yandex.ru':443
'ma##ind.com':443

UDP

DNS ASK ap#.#yip.com
DNS ASK ap#.#b-ip.com
DNS ASK sso.passport.yandex.ru
DNS ASK dz#n.ru
DNS ASK aa.###jeoogbb.com
DNS ASK yandex.ru
DNS ASK tw##ter.com
DNS ASK db##p.com
DNS ASK ad####nclaeys.top
DNS ASK te###ram.org
DNS ASK ip###ger.org
DNS ASK ip##s.ru
DNS ASK us.###jeoigaa.com
DNS ASK x2.#.lencr.org
DNS ASK x1.#.lencr.org
DNS ASK ps##.#serapi.com
DNS ASK su####7.userapi.com
DNS ASK su####4.userapi.com
DNS ASK re###oot.top
DNS ASK bu###l.store
DNS ASK hu##rsi.com
DNS ASK zz#.##auiehgha.com
DNS ASK vk.com
DNS ASK ip##fo.io
DNS ASK ma##ind.com
DNS ASK mi##########m.mail.protection.outlook.com

Miscellaneous

Searches for the following windows

ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%HOMEPATH%\pictures\minor policy\2ejh9xmo5o_durpa4mauuujn.exe'
'%HOMEPATH%\pictures\minor policy\xb1imy4ojdxpderyrrzcmoc8.exe'
'%WINDIR%\syswow64\jqprxthb\ecmnplou.exe' /d"%HOMEPATH%\Pictures\Minor Policy\YamgqxiG6kG_Lwy6WGfdNOEp.exe"
'%TEMP%\ixp003.tmp\a2849708.exe'
'%TEMP%\ixp002.tmp\v1801036.exe'
'%TEMP%\ixp000.tmp\v5453298.exe'
'%HOMEPATH%\pictures\minor policy\fcha0r90pwte0ktuden8pohh.exe'
'%HOMEPATH%\pictures\minor policy\upjve1zuxijukpqgwcynxidt.exe'
'%HOMEPATH%\pictures\minor policy\ia1i4ts4_eecyhkjdnrs8rjb.exe'
'%TEMP%\ixp001.tmp\v5090711.exe'
'%HOMEPATH%\pictures\minor policy\yamgqxig6kg_lwy6wgfdnoep.exe'
'%HOMEPATH%\pictures\minor policy\nfmr_0ubt6uh_7vfsxqdaopq.exe'
'%HOMEPATH%\documents\baiamad3rmzfqs3d3y5eisrw.exe'
'%HOMEPATH%\pictures\minor policy\jgevcqk4gts5ysjdg4mhy5ym.exe'
'%HOMEPATH%\pictures\minor policy\s3dhieaaaxwmv2vqbail4wx8.exe'
'%HOMEPATH%\pictures\minor policy\o5puengrp5lrisgg2jc3sscs.exe'
'%HOMEPATH%\pictures\minor policy\6fu8cvscktuefkawfhsro0ta.exe'
'%HOMEPATH%\pictures\minor policy\yqvp2ccztxtth547hpmhn6ks.exe'
'%HOMEPATH%\pictures\minor policy\omtdwkfpeghzsvj4uhydkvp7.exe'
'%HOMEPATH%\pictures\minor policy\2ejh9xmo5o_durpa4mauuujn.exe' ' (with hidden window)
'%WINDIR%\syswow64\sc.exe' start jqprxthb' (with hidden window)
'%WINDIR%\syswow64\sc.exe' description jqprxthb "wifi internet conection"' (with hidden window)
'%WINDIR%\syswow64\sc.exe' create jqprxthb binPath= "%WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe /d\"%HOMEPATH%\Pictures\Minor Policy\YamgqxiG6kG_Lwy6WGfdNOEp.exe\"" type= own start= auto DisplayName= "wifi support"' (with hidden window)
'%HOMEPATH%\pictures\minor policy\jgevcqk4gts5ysjdg4mhy5ym.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\jqprxthb\' (with hidden window)
'%TEMP%\ixp001.tmp\v5090711.exe' ' (with hidden window)
'%TEMP%\ixp002.tmp\v1801036.exe' ' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%HOMEPATH%\Pictures\Minor Policy\S3DHieAaaxWMV2vqBaIl4wX8.exe" & del "%ALLUSERSPROFILE%\*.dll"" & exit' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\ecmnplou.exe" %WINDIR%\SysWOW64\jqprxthb\' (with hidden window)
'%TEMP%\ixp003.tmp\a2849708.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\o5puengrp5lrisgg2jc3sscs.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\xb1imy4ojdxpderyrrzcmoc8.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\yqvp2ccztxtth547hpmhn6ks.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\nfmr_0ubt6uh_7vfsxqdaopq.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\yamgqxig6kg_lwy6wgfdnoep.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\6fu8cvscktuefkawfhsro0ta.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\omtdwkfpeghzsvj4uhydkvp7.exe' ' (with hidden window)
'%WINDIR%\syswow64\netsh.exe' advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="%WINDIR%\SysWOW64\svchost.exe" enable=yes>nul' (with hidden window)
'%HOMEPATH%\pictures\minor policy\s3dhieaaaxwmv2vqbail4wx8.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\upjve1zuxijukpqgwcynxidt.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\fcha0r90pwte0ktuden8pohh.exe' ' (with hidden window)
'%TEMP%\ixp000.tmp\v5453298.exe' ' (with hidden window)
'%HOMEPATH%\pictures\minor policy\ia1i4ts4_eecyhkjdnrs8rjb.exe' ' (with hidden window)

Executes the following

'<SYSTEM32>\svchost.exe' -k secsvcs
'<SYSTEM32>\raserver.exe' /offerraupdate
'%WINDIR%\syswow64\control.exe' "%TEMP%\WDDJJsJ.cpL",
'%WINDIR%\syswow64\cmd.exe' /c timeout /t 5 & del /f /q "%HOMEPATH%\Pictures\Minor Policy\S3DHieAaaxWMV2vqBaIl4wX8.exe" & del "%ALLUSERSPROFILE%\*.dll"" & exit
'%WINDIR%\syswow64\cmd.exe' /C mkdir %WINDIR%\SysWOW64\jqprxthb\
'%WINDIR%\syswow64\cmd.exe' /C move /Y "%TEMP%\ecmnplou.exe" %WINDIR%\SysWOW64\jqprxthb\
'%WINDIR%\syswow64\timeout.exe' /t 5
'%WINDIR%\syswow64\rundll32.exe' Shell32.dll,Control_RunDLL "%TEMP%\WDDJJsJ.cpL",
'%WINDIR%\syswow64\sc.exe' create jqprxthb binPath= "%WINDIR%\SysWOW64\jqprxthb\ecmnplou.exe /d\"%HOMEPATH%\Pictures\Minor Policy\YamgqxiG6kG_Lwy6WGfdNOEp.exe\"" type= own start= auto DisplayName= "wifi support"
'%WINDIR%\syswow64\sc.exe' description jqprxthb "wifi internet conection"
'%WINDIR%\syswow64\sc.exe' start jqprxthb
'<SYSTEM32>\rundll32.exe' Shell32.dll,Control_RunDLL "%TEMP%\WDDJJsJ.cpL",
'%WINDIR%\syswow64\schtasks.exe' /create /f /RU "user" /tr "%ProgramFiles(x86)%\PowerControl\PowerControl_Svc.exe" /tn "PowerControl HR" /sc HOURLY /rl HIGHEST
'%WINDIR%\syswow64\svchost.exe'
'%WINDIR%\syswow64\schtasks.exe' /create /f /RU "user" /tr "%ProgramFiles(x86)%\PowerControl\PowerControl_Svc.exe" /tn "PowerControl LG" /sc ONLOGON /rl HIGHEST

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial