Trojan.Siggen32.4314

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\microsoft\windows\windows update listner
<SYSTEM32>\tasks\microsoft\sywi222
<SYSTEM32>\tasks\microsoft\splwow

Malicious functions

Executes the following

'<SYSTEM32>\netsh.exe' advfirewall firewall add rule name="Windows Update Listner" dir=in action=allow program="<SYSTEM32>\mppr.exe" enable=yes
'%WINDIR%\syswow64\taskkill.exe' /im splwow32.exe /f

Modifies file system

Creates the following files

%TEMP%\4brrsyrb.2c1.exe
%TEMP%\9.png
<SYSTEM32>\mppr.exe
%TEMP%\tmpf30b.tmp.bat
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\4brrsyrb.2c1.exe.log
%TEMP%\tmpfea4.tmp
%TEMP%\tmpfee3.tmp
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\<File name>.exe.log
%HOMEPATH%\desktop.inf
%LOCALAPPDATA%\google\crashreports\screenboardv20
%LOCALAPPDATA%\google\crashreports\loaderv23
%TEMP%\tmp9eaf.tmp.exe
%WINDIR%\syswow64\splwow32.exe
%TEMP%\d2pjpudb.m5e.bat
nul
%LOCALAPPDATA%\microsoft\clr_v4.0_32\usagelogs\tmp9eaf.tmp.exe.log

Sets the 'hidden' attribute to the following files

<SYSTEM32>\mppr.exe
%WINDIR%\syswow64\splwow32.exe

Deletes following files that it created itself

%TEMP%\tmpfea4.tmp
%TEMP%\tmpfee3.tmp

Network activity

Connects to

'localhost':443
'vv######jnj25i5.hopto.org':443
'vv######jnj25i5.hopto.org':6062
'vv######jnj25i5.hopto.org':80

TCP

HTTP GET requests

http://93.##3.84.212/files/loader/OnoMiner_obfus.exe

Other

'vv######jnj25i5.hopto.org':443

UDP

DNS ASK vv######oij25i4.hopto.org
DNS ASK ui######wgydfhbhuifdf.com
DNS ASK vv######gyuigi2.hopto.org
DNS ASK pr######ag32dds.hopto.org
DNS ASK 91######nqtphj2.hopto.org
DNS ASK cv######wgyffrwu9iww6.com
DNS ASK 2w######jfui309.hopto.org
DNS ASK ww######gyui3s1.hopto.org
DNS ASK 8j######wi6ns92.hopto.org
DNS ASK an######sa9923p.hopto.org
DNS ASK ug######jhf02jbhdfg9u.com
DNS ASK dw######jfk8ds5.hopto.org
DNS ASK vv######jnj25i5.hopto.org

Miscellaneous

Searches for the following windows

ClassName: 'NarratorUIClass' WindowName: ''
ClassName: '' WindowName: ''

Creates and executes the following

'%TEMP%\4brrsyrb.2c1.exe'
'<SYSTEM32>\mppr.exe'
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\tmp9EAF.tmp.exe"'
'%TEMP%\tmp9eaf.tmp.exe'
'%WINDIR%\syswow64\splwow32.exe'

Executes the following

'<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /mo 5 /tn "Microsoft\Windows\Windows Update Listner" /tr "<SYSTEM32>\mppr.exe" /RL HIGHEST & exit
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Windows Update Listner" dir=in action=allow program="<SYSTEM32>\mppr.exe" enable=yes & exit
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\tmpF30B.tmp.bat""
'<SYSTEM32>\schtasks.exe' /create /f /sc minute /mo 5 /tn "Microsoft\Windows\Windows Update Listner" /tr "<SYSTEM32>\mppr.exe" /RL HIGHEST
'<SYSTEM32>\svchost.exe' -k appmodel -p -s camsvc
'<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\tmp9EAF.tmp.exe"' & exit
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /rl highest /tn "Microsoft\splwow" /tr "<SYSTEM32>\splwow32.exe" /sc onlogon & exit
'%WINDIR%\syswow64\cmd.exe' /c schtasks /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\sywi222" /tr "<SYSTEM32>\splwow32.exe" & exit
'%WINDIR%\syswow64\cmd.exe' /c ""%TEMP%\d2pjpudb.m5e.bat""
'%WINDIR%\syswow64\schtasks.exe' /create /f /rl highest /tn "Microsoft\splwow" /tr "<SYSTEM32>\splwow32.exe" /sc onlogon
'%WINDIR%\syswow64\schtasks.exe' /create /f /sc minute /rl highest /mo 5 /tn "Microsoft\sywi222" /tr "<SYSTEM32>\splwow32.exe"
'%WINDIR%\syswow64\timeout.exe' 8
'%WINDIR%\syswow64\cmd.exe' /c taskkill /im splwow32.exe /f
'<SYSTEM32>\cmd.exe' /c schtasks /create /f /sc minute /mo 5 /tn "Microsoft\Windows\Windows Update Listner" /tr "<SYSTEM32>\mppr.exe" /RL HIGHEST & exit' (with hidden window)
'<SYSTEM32>\cmd.exe' /c netsh advfirewall firewall add rule name="Windows Update Listner" dir=in action=allow program="<SYSTEM32>\mppr.exe" enable=yes & exit' (with hidden window)
'<SYSTEM32>\cmd.exe' /c start /b powershell –ExecutionPolicy Bypass Start-Process -FilePath '"%TEMP%\tmp9EAF.tmp.exe"' & exit' (with hidden window)