Trojan.Siggen32.27047

Technical Information

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'OLLYDBG', WindowName: ''

Modifies file system

Creates the following files

%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-69a2869c-cc0.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-69a286a2-158.pma
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000002
%LOCALAPPDATA%\microsoft\edge\user data\default\000002.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\log
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\gpucache\data_3
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\cookies
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\log
%LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\log
%LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\index
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_0
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_2
%LOCALAPPDATA%\microsoft\edge\user data\default\cache\data_3

Deletes following files that it created itself

%LOCALAPPDATA%\microsoft\edge\user data\default\manifest-000001
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-69a2869c-cc0.pma
%LOCALAPPDATA%\microsoft\edge\user data\browsermetrics\browsermetrics-69a286a2-158.pma

Moves the following files

from %LOCALAPPDATA%\microsoft\edge\user data\default\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\session storage\current
from %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\000001.dbtmp to %LOCALAPPDATA%\microsoft\edge\user data\default\shared_proto_db\metadata\current

Modifies the following files

%LOCALAPPDATA%\microsoft\edge\user data\last version
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\log
%LOCALAPPDATA%\microsoft\edge\user data\default\sync data\leveldb\000003.log
%LOCALAPPDATA%\microsoft\edge\user data\default\site characteristics database\log
%LOCALAPPDATA%\microsoft\edge\user data\default\web data-journal
%LOCALAPPDATA%\microsoft\edge\user data\default\web data

Substitutes the following files

%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
%LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Platform Notifications\LOG

Network activity

Connects to

'localhost':8080
'co####.edge.skype.com':443

TCP

Other

'co####.edge.skype.com':443

UDP

DNS ASK co####.edge.skype.com

Miscellaneous

Searches for the following windows

ClassName: '' WindowName: 'OLLYDBG'
ClassName: 'x64dbg' WindowName: ''
ClassName: '' WindowName: 'x64dbg'
ClassName: 'x32dbg' WindowName: ''
ClassName: '' WindowName: 'x32dbg'
ClassName: 'IDA' WindowName: ''
ClassName: '' WindowName: 'IDA'
ClassName: 'Cheat Engine' WindowName: ''
ClassName: '' WindowName: 'Cheat Engine'
ClassName: 'Process Hacker' WindowName: ''
ClassName: '' WindowName: 'Process Hacker'
ClassName: 'Chrome_MessageWindow' WindowName: '%LOCALAPPDATA%\Microsoft\Edge\User Data'

Executes the following

'<SYSTEM32>\tasklist.exe' /FO CSV /NH
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-TpmEndorsementKeyInfo -HashAlgorithm SHA256 -ErrorAction SilentlyContinue).PublicKeyHash"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-WmiObject -Namespace 'Root\CIMV2\Security\MicrosoftTpm' -Class Win32_Tpm -ErrorAction SilentlyContinue).SpecVersion"
'<SYSTEM32>\wbem\wmic.exe' csproduct get UUID
'<SYSTEM32>\wbem\wmic.exe' cpu get ProcessorId
'<SYSTEM32>\wbem\wmic.exe' baseboard get SerialNumber
'<SYSTEM32>\wbem\wmic.exe' bios get SerialNumber
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-PhysicalDisk | Where-Object {$_.DeviceID -eq 0} | Select-Object -ExpandProperty SerialNumber) -replace '\s+',''"
'<SYSTEM32>\wbem\wmic.exe' diskdrive get SerialNumber
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion').ProductId"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-WmiObject Win32_VideoController | Select-Object -First 1).PNPDeviceID"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-WmiObject Win32_PhysicalMemory | Select-Object -ExpandProperty SerialNumber) -join ','"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -ErrorAction SilentlyContinue).BackupProductKeyDefault"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "Confirm-SecureBootUEFI -ErrorAction SilentlyContinue; (Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecureBoot\State' -ErrorAction SilentlyContinue).UEFISecureB...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "Get-NetAdapter -Physical | Where-Object {$_.Status -eq 'Up'} | Select-Object -First 1 -ExpandProperty PermanentAddress"
'<SYSTEM32>\wbem\wmic.exe' nic where NetConnectionStatus=2 get MACAddress
'<SYSTEM32>\cmd.exe' /c "vol C:"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-WmiObject WmiMonitorID -Namespace root\wmi -ErrorAction SilentlyContinue | ForEach-Object { $_.SerialNumberID -join '' }) -join '_'"
'<SYSTEM32>\wbem\wmic.exe' csproduct get Vendor
'<SYSTEM32>\wbem\wmic.exe' csproduct get Name
'<SYSTEM32>\wbem\wmic.exe' bios get SMBIOSBIOSVersion
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "(Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Cryptography').MachineGuid"
'<SYSTEM32>\rundll32.exe' url.dll,FileProtocolHandler http://localhost:47382
'<SYSTEM32>\rundll32.exe' <SYSTEM32>\FirewallControlPanel.dll,ShowNotificationDialog /configure /ETOnly 0 /OnProfiles 6 /OtherAllowed 0 /OtherBlocked 0 /OtherEdgeAllowed 0 /NewBlocked 4 "<Full path to file>"
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument http://localhost:47382/
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate http://localhost:47382/
'%ProgramFiles(x86)%\microsoft\edge\application\89.0.774.68\identity_helper.exe' --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,5536125304139842631,17232943903216071529,131072 --lang=en-US --service-sandbox-type=none --mojo-...
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --single-argument http://localhost:47382/' (with hidden window)
'%ProgramFiles(x86)%\microsoft\edge\application\msedge.exe' --flag-switches-begin --flag-switches-end --do-not-de-elevate http://localhost:47382/' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial