Trojan.Siggen29.48236

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\windowssecuritywrapper
%APPDATA%\microsoft\windows\start menu\programs\startup\windowssecuritywrapper.lnk

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'%WINDIR%\syswow64\windowspowershell\v1.0\powershell.exe' -Command "Add-MpPreference -ExclusionPath '%HOMEPATH%\WindowsExecutables'"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%HOMEPATH%\Windows Driver Foundation.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%APPDATA%\WindowsSecurityWrapper.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurityWrapper.exe'

Modifies file system

Creates the following files

%TEMP%\d.bat
%TEMP%\_mei4962\api-ms-win-core-synch-l1-2-0.dll
%TEMP%\_mei4962\api-ms-win-core-sysinfo-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-timezone-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-util-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-conio-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-convert-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-environment-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-filesystem-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-heap-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-locale-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-math-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-process-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-runtime-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-stdio-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-time-l1-1-0.dll
%APPDATA%\mydata\datalogs.conf
%TEMP%\_mei4962\api-ms-win-crt-utility-l1-1-0.dll
%TEMP%\_mei4962\libcrypto-1_1.dll
%TEMP%\_mei4962\libffi-8.dll
%TEMP%\_mei4962\libssl-1_1.dll
%TEMP%\_mei4962\python311.dll
%TEMP%\_mei4962\rar.exe
%TEMP%\_mei4962\select.pyd
%TEMP%\_mei4962\sqlite3.dll
%TEMP%\_mei4962\ucrtbase.dll
%TEMP%\_mei4962\unicodedata.pyd
%TEMP%\_mei4962\base_library.zip
%TEMP%\_mei4962\blank.aes
%TEMP%\_mei4962\rarreg.key
nul
%TEMP%\_mei4962\api-ms-win-core-synch-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-crt-string-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-string-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-datetime-l1-1-0.dll
%HOMEPATH%\windows service wrapper.exe
%HOMEPATH%\windows driver foundation.exe
%TEMP%\8jhmtrrrr.exe
%TEMP%\_mei4962\vcruntime140.dll
%TEMP%\_mei4962\_bz2.pyd
%TEMP%\_mei4962\_ctypes.pyd
%TEMP%\_mei4962\_decimal.pyd
%TEMP%\_mei4962\_hashlib.pyd
%TEMP%\_mei4962\_lzma.pyd
%TEMP%\_mei4962\_queue.pyd
%TEMP%\_mei4962\_socket.pyd
%TEMP%\_mei4962\_sqlite3.pyd
%TEMP%\_mei4962\_ssl.pyd
%TEMP%\_mei4962\api-ms-win-core-console-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-debug-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-profile-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-errorhandling-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-file-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-file-l1-2-0.dll
%TEMP%\_mei4962\api-ms-win-core-file-l2-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-handle-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-heap-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-interlocked-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-libraryloader-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-localization-l1-2-0.dll
%TEMP%\_mei4962\api-ms-win-core-memory-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-namedpipe-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-processenvironment-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-processthreads-l1-1-0.dll
%TEMP%\_mei4962\api-ms-win-core-processthreads-l1-1-1.dll
%TEMP%\_mei4962\api-ms-win-core-rtlsupport-l1-1-0.dll
%APPDATA%\windowssecuritywrapper.exe

Deletes the following files

%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\history\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\history\history.ie5\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\history\history.ie5\index.dat
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\0ps72r2m\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\62axopq5\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\fzg8ckj5\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\index.dat
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\content.ie5\lixmvqoa\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\local\Microsoft\windows\<INETFILES>\desktop.ini
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\Microsoft\CryptnetUrlCache\content\7B2238AACCEDC3F1FFE8E7EB5F575EC9
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\Microsoft\CryptnetUrlCache\content\94308059B57B3142E455B38A6EB92015
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\Microsoft\CryptnetUrlCache\metadata\7B2238AACCEDC3F1FFE8E7EB5F575EC9
%WINDIR%\syswow64\config\systemprofile\appdata\locallow\Microsoft\CryptnetUrlCache\metadata\94308059B57B3142E455B38A6EB92015
%WINDIR%\syswow64\config\systemprofile\appdata\roaming\Microsoft\windows\cookies\index.dat

Network activity

Connects to

'ip##pi.com':80
'pa###bin.com':443
'pk#.goog':80

TCP

HTTP GET requests

http://ip##pi.com/line/?fi############
http://pk#.goog/gsr1/gsr1.crt

Other

'pa###bin.com':443

UDP

DNS ASK ip##pi.com
DNS ASK pa###bin.com
DNS ASK pk#.goog

Miscellaneous

Creates and executes the following

'%HOMEPATH%\windows service wrapper.exe'
'%HOMEPATH%\windows driver foundation.exe'
'%TEMP%\8jhmtrrrr.exe'
'%APPDATA%\windowssecuritywrapper.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\d.bat" "
'<SYSTEM32>\schtasks.exe' /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurityWrapper" /tr "%APPDATA%\WindowsSecurityWrapper.exe"
'<SYSTEM32>\taskeng.exe' {51A61F8E-1A3C-4E08-872C-98ED55192DC3} S-1-5-21-3691498038-2086406363-2140527554-1000:miycxxf\user:Interactive:[1]
'%WINDIR%\syswow64\net1.exe' session
'%WINDIR%\syswow64\net.exe' session
'%WINDIR%\syswow64\reagentc.exe' /disable
'%WINDIR%\syswow64\mode.com' 70,25
'%TEMP%\8jhmtrrrr.exe' ' (with hidden window)
'<SYSTEM32>\schtasks.exe' /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurityWrapper" /tr "%APPDATA%\WindowsSecurityWrapper.exe"' (with hidden window)
'%HOMEPATH%\windows service wrapper.exe' ' (with hidden window)
'%HOMEPATH%\windows driver foundation.exe' ' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurityWrapper.exe'' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%APPDATA%\WindowsSecurityWrapper.exe'' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath '%HOMEPATH%\Windows Driver Foundation.exe'' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\d.bat" "' (with hidden window)
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Windows Driver Foundation.exe'' (with hidden window)
'%APPDATA%\windowssecuritywrapper.exe' ' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial