Trojan.Siggen31.60195

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKLM\Software\Classes\cclaunch\shell\open\command] '' = '"%ProgramFiles%\CCleaner\ccleaner.exe" /%1'

Creates or modifies the following files

<SYSTEM32>\tasks\ccleaner update

Modifies file system

Creates the following files

%TEMP%\aut844.tmp
%WINDIR%\temp\temp_1\restfiles\blackbunny.gif
%TEMP%\aut883.tmp
%WINDIR%\temp\temp_1\restfiles\blackbunnyinstall.gif
%TEMP%\aut8b3.tmp
%WINDIR%\temp\temp_1\restfiles\blackbunnyend.gif
%TEMP%\aut199c.tmp
%WINDIR%\temp\temp_1\restfiles\setup.exe
%TEMP%\aut1fb8.tmp
%WINDIR%\temp\temp_1\restfiles\crack.exe
%TEMP%\nsr3d7e.tmp
%TEMP%\nsm3dae.tmp\system.dll
%TEMP%\nsm3dae.tmp\userinfo.dll
%TEMP%\nsm3dae.tmp\p\pfbl.dll
%TEMP%\nsm3dae.tmp\nsprocess.dll
%TEMP%\nsm3dae.tmp\inetc.dll
%ProgramFiles%\ccleaner\ccleaner.exe
%ProgramFiles%\ccleaner\ccleaner64.exe
%ProgramFiles%\ccleaner\ccupdate.exe
%ProgramFiles%\ccleaner\branding.dll
%ProgramFiles%\ccleaner\lang\lang-1031.dll
%ProgramFiles%\ccleaner\lang\lang-1041.dll
%ProgramFiles%\ccleaner\lang\lang-1049.dll
%ProgramFiles%\ccleaner\lang\lang-1053.dll
%ProgramFiles%\ccleaner\lang\lang-1042.dll
%ProgramFiles%\ccleaner\lang\lang-1044.dll
%ProgramFiles%\ccleaner\lang\lang-1040.dll
%ProgramFiles%\ccleaner\lang\lang-2070.dll
%ProgramFiles%\ccleaner\lang\lang-1043.dll
%ProgramFiles%\ccleaner\lang\lang-1036.dll
%ProgramFiles%\ccleaner\lang\lang-1034.dll
%ProgramFiles%\ccleaner\lang\lang-1045.dll
%ProgramFiles%\ccleaner\lang\lang-1028.dll
%ProgramFiles%\ccleaner\lang\lang-1030.dll
%ProgramFiles%\ccleaner\lang\lang-1035.dll
%ProgramFiles%\ccleaner\lang\lang-1046.dll
%ProgramFiles%\ccleaner\lang\lang-1038.dll
%ProgramFiles%\ccleaner\lang\lang-1029.dll
%ProgramFiles%\ccleaner\lang\lang-2052.dll
%ProgramFiles%\ccleaner\lang\lang-1027.dll
%ProgramFiles%\ccleaner\lang\lang-1037.dll
%ProgramFiles%\ccleaner\lang\lang-1032.dll
%ProgramFiles%\ccleaner\lang\lang-1055.dll
%ProgramFiles%\ccleaner\lang\lang-1025.dll
%ProgramFiles%\ccleaner\lang\lang-1048.dll
%ProgramFiles%\ccleaner\lang\lang-1110.dll
%ProgramFiles%\ccleaner\lang\lang-1063.dll
%ProgramFiles%\ccleaner\lang\lang-1052.dll
%ProgramFiles%\ccleaner\lang\lang-3098.dll
%ProgramFiles%\ccleaner\lang\lang-2074.dll
%ProgramFiles%\ccleaner\lang\lang-1051.dll
%ProgramFiles%\ccleaner\lang\lang-1071.dll
%ProgramFiles%\ccleaner\lang\lang-5146.dll
%ProgramFiles%\ccleaner\lang\lang-1026.dll
%ProgramFiles%\ccleaner\lang\lang-1050.dll
%ProgramFiles%\ccleaner\lang\lang-1066.dll
%ProgramFiles%\ccleaner\lang\lang-1058.dll
%ProgramFiles%\ccleaner\lang\lang-1061.dll
%ProgramFiles%\ccleaner\lang\lang-1065.dll
%ProgramFiles%\ccleaner\lang\lang-1067.dll
%ProgramFiles%\ccleaner\lang\lang-1079.dll
%ProgramFiles%\ccleaner\lang\lang-9999.dll
%ProgramFiles%\ccleaner\lang\lang-1068.dll
%ProgramFiles%\ccleaner\lang\lang-1060.dll
%ProgramFiles%\ccleaner\lang\lang-1059.dll
%ProgramFiles%\ccleaner\lang\lang-1087.dll
%ProgramFiles%\ccleaner\lang\lang-1062.dll
%ProgramFiles%\ccleaner\lang\lang-1102.dll
%ProgramFiles%\ccleaner\lang\lang-1057.dll
%ProgramFiles%\ccleaner\lang\lang-1092.dll
%ProgramFiles%\ccleaner\lang\lang-1109.dll
%ProgramFiles%\ccleaner\lang\lang-1054.dll
%ProgramFiles%\ccleaner\lang\lang-1081.dll
%ProgramFiles%\ccleaner\lang\lang-1104.dll
%ProgramFiles%\ccleaner\lang\lang-1155.dll
%ProgramFiles%\ccleaner\lang\lang-1090.dll
C:\users\public\desktop\ccleaner.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ccleaner\ccleaner.lnk
%ALLUSERSPROFILE%\microsoft\windows\start menu\programs\ccleaner\ccleaner homepage.url
%ProgramFiles%\ccleaner\uninst.exe
%ProgramFiles%\ccleaner\ccleaner.dat
%ProgramFiles%\ccleaner\setup\338331cf-6a0e-451b-b870-b1728ccf8dff.ini
%ProgramFiles%\ccleaner\setup\dc96b50a-4ad0-4517-aef9-85f0ed561474.dll
%TEMP%\asw166cdef9208909e7.tmp
%TEMP%\aswc2c3d8a5947cab48.tmp
%TEMP%\asw 3b9dc8176fe9234.tmp
%TEMP%\asw7298fa9d8210e54c.tmp
%TEMP%\aswfbc8d8e188095711.tmp
%ProgramFiles%\ccleaner\ccupdate.ini
%ProgramFiles%\ccleaner\setup\54134f2c-75bf-41df-b48a-bdfe75f0309b.xml
%ProgramFiles%\ccleaner\setup\da579438-6ed0-4a58-a081-85cc51201246.cab
%ProgramFiles%\ccleaner\setup\d4b40d1e-8404-4964-9611-2a0c5ce6e652\update.xml
%ProgramFiles%\ccleaner\setup\d4b40d1e-8404-4964-9611-2a0c5ce6e652\updater.exe
%ProgramFiles%\ccleaner\setup\7878eab4-d30e-497b-87fd-e57ced491990.ini
%ProgramFiles%\ccleaner\setup\b1bbef4c-ca34-4d36-b74f-40ff27e75ffd.xml
%ProgramFiles%\ccleaner\setup\49b0d9da-c22a-4e2c-b5d2-79aad3e8c902.cab

Moves the following files

from %ProgramFiles%\ccleaner\ccupdate.exe to %ProgramFiles%\ccleaner\ccupdate.exe.175978439473401

Modifies the following files

%LOCALAPPDATA%\microsoft\penworkspace\discovercachedata.dat

Substitutes the following files

%ProgramFiles%\ccleaner\ccupdate.exe

Network activity

Connects to

'se#####.piriform.com':80
'ip#####.ff.avast.com':80
'em####te.avcdn.net':80
'cc######.tools.avcdn.net':80
'go#####a###ytics.com':80
'cc######.tools.avcdn.net':443

TCP

HTTP GET requests

http://se#####.piriform.com/installcheck.aspx?p=#################################################################################################################################################...
http://em####te.avcdn.net/files/emupdate/pong.txt
http://www.go#####a###ytics.com/collect?v=###########################################################################################################################################
http://cc######.tools.avcdn.net/tools/ccleaner/update/ccupdate10.cab
http://www.go#####a###ytics.com/collect?v=############################################################################################################################
http://cc######.tools.avcdn.net/tools/ccleaner/update/ccupdate068_mv.cab

Other

'cc######.tools.avcdn.net':443

UDP

DNS ASK se#####.piriform.com
DNS ASK ip#####.ff.avast.com
DNS ASK em####te.avcdn.net
DNS ASK cc######.tools.avcdn.net
DNS ASK go#####a###ytics.com

Miscellaneous

Searches for the following windows

ClassName: 'PiriformRegistration' WindowName: ''
ClassName: '#32770' WindowName: 'CCleaner'
ClassName: '#32770' WindowName: 'Piriform CCleaner'
ClassName: 'ThunderRT6FormDC' WindowName: 'CCleaner'
ClassName: 'PiriformCCleaner' WindowName: ''
ClassName: '#32770' WindowName: ''
ClassName: 'EDIT' WindowName: ''

Creates and executes the following

'%WINDIR%\temp\temp_1\restfiles\setup.exe' /S
'%ProgramFiles%\ccleaner\ccleaner64.exe' /createSkipUAC
'%ProgramFiles%\ccleaner\ccupdate.exe' /reg
'%WINDIR%\temp\temp_1\restfiles\crack.exe'
'%ProgramFiles%\ccleaner\ccupdate.exe' /emupdater /applydll "%ProgramFiles%\CCleaner\Setup\dc96b50a-4ad0-4517-aef9-85f0ed561474.dll"