Trojan.Siggen32.7484

Technical Information

To ensure autorun and distribution

Modifies the following registry keys

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'run' = '<SYSTEM32>\boy.exe'
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows] 'load' = '<SYSTEM32>\boy.exe'
[HKLM\Software\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon] 'shell' = 'Explorer.exe <SYSTEM32>\boy.exe'

Creates or modifies the following files

<SYSTEM32>\tasks\microsoft\windows\upnp\services

Sets the following service settings

[HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\services\iis] 'Start' = '00000002'
[HKLM\SYSTEM\CurrentControlSet\services\iis] 'ImagePath' = '"%WINDIR%\IIS\srvany.exe" '

Malicious functions

Searches for windows to

detect analytical utilities:

ClassName: 'FilemonClass', WindowName: ''
ClassName: '', WindowName: 'File Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'PROCMON_WINDOW_CLASS', WindowName: ''
ClassName: '', WindowName: 'Process Monitor - Sysinternals: www.sysinternals.com'
ClassName: 'RegmonClass', WindowName: ''
ClassName: '', WindowName: 'Registry Monitor - Sysinternals: www.sysinternals.com'

Modifies file system

Creates the following files

%WINDIR%\iis\cpuinfo.exe
%WINDIR%\syswow64\boy.exe
%WINDIR%\end.bat
%WINDIR%\iis\srvany.exe
%WINDIR%\iis\iis.reg
%WINDIR%\iis\1.bat
%WINDIR%\iis\qdx.bat
%WINDIR%\iis\chrome..exe
%WINDIR%\iis\chrome..xml
%WINDIR%\iis\chrome..fb
%WINDIR%\iis\cstr.exe
%WINDIR%\iis\cstr.fb
%WINDIR%\iis\cstr.xml
%WINDIR%\iis\esteemaudit-2.1.0.exe
%WINDIR%\iis\esteemaudit-2.1.0.xml
%WINDIR%\iis\esteemaudit-2.1.0.fb
%WINDIR%\iis\esteemaudittouch-2.1.0.exe
%WINDIR%\iis\esteemaudittouch-2.1.0.xml
%WINDIR%\iis\esteemaudittouch-2.1.0.fb
%WINDIR%\iis\eternalchampion-2.0.0.exe
%WINDIR%\iis\eternalchampion-2.0.0.fb
%WINDIR%\iis\eternalchampion-2.0.0.xml
%WINDIR%\iis\adfw.dll
%WINDIR%\iis\adfw-2.dll
%WINDIR%\iis\cnli-0.dll
%WINDIR%\iis\cnli-1.dll
%WINDIR%\iis\coli-0.dll
%WINDIR%\iis\crli-0.dll
%WINDIR%\iis\dmgd-1.dll
%WINDIR%\iis\dmgd-4.dll
%WINDIR%\iis\esco-0.dll
%WINDIR%\iis\etch-0.dll
%WINDIR%\iis\etchcore-0.x64.dll
%WINDIR%\iis\etchcore-0.x86.dll
%WINDIR%\iis\eteb-2.dll
%WINDIR%\iis\etebcore-2.x64.dll
%WINDIR%\iis\etebcore-2.x86.dll
%WINDIR%\iis\exma.dll
%WINDIR%\iis\exma-1.dll
%WINDIR%\iis\iconv.dll
%WINDIR%\iis\libcurl.dll
%WINDIR%\iis\libeay32.dll
%WINDIR%\iis\libiconv-2.dll
%WINDIR%\iis\libxml2.dll
%WINDIR%\iis\pcla-0.dll
%WINDIR%\iis\pcre-0.dll
%WINDIR%\iis\pcrecpp-0.dll
%WINDIR%\iis\pcreposix-0.dll
%WINDIR%\iis\posh.dll
%WINDIR%\iis\posh-0.dll
%WINDIR%\iis\riar.dll
%WINDIR%\iis\riar-2.dll
%WINDIR%\iis\ssleay32.dll
%WINDIR%\iis\tibe.dll
%WINDIR%\iis\tibe-1.dll
%WINDIR%\iis\tibe-2.dll
%WINDIR%\iis\trch.dll
%WINDIR%\iis\trch-0.dll
%WINDIR%\iis\trch-1.dll
%WINDIR%\iis\trfo.dll
%WINDIR%\iis\trfo-0.dll
%WINDIR%\iis\trfo-2.dll
%WINDIR%\iis\tucl.dll
%WINDIR%\iis\tucl-1.dll
%WINDIR%\iis\ucl.dll
%WINDIR%\iis\xdvl-0.dll
%WINDIR%\iis\zibe.dll
%WINDIR%\iis\zlib1.dll

Deletes following files that it created itself

%WINDIR%\end.bat
%WINDIR%\iis\qdx.bat
%WINDIR%\iis\1.bat

Deletes itself.

Network activity

TCP

Other

'15#.#01.129.91':443

UDP

DNS ASK gx.##sthash.org

Miscellaneous

Searches for the following windows

ClassName: '18467-41' WindowName: ''
ClassName: '' WindowName: 'CPUInfo.exe'
ClassName: '' WindowName: 'sys.exe'
ClassName: '#32770' WindowName: 'chrome..exe - Г“В¦Г“ГѓВіГЊГђГІВґГГЋГі'
ClassName: '' WindowName: 'svshostr.exe'
ClassName: '' WindowName: 'csrss..exe'
ClassName: '' WindowName: 'svchostr.exe'
ClassName: 'RegEdit_RegEdit' WindowName: ''
ClassName: '' WindowName: ':443/123.exe'

Creates and executes the following

'%WINDIR%\iis\cpuinfo.exe'

Executes the following

'%WINDIR%\syswow64\cmd.exe' /c del "<Full path to file>"
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\end.bat" "
'%WINDIR%\syswow64\netsh.exe' ipsec static add policy name=ipsec_ply
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=deny_pt
'%WINDIR%\syswow64\netsh.exe' ipsec static add filterlist name=allow_pt
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=445 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filter filterlist=deny_pt srcaddr=any dstaddr=ME dstport=139 protocol=TCP
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=deny action=block
'%WINDIR%\syswow64\netsh.exe' ipsec static add filteraction name=allow action=negotiate
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=deny policy=ipsec_ply filterlist=deny_pt filteraction=deny
'%WINDIR%\syswow64\netsh.exe' ipsec static add rule name=allow policy=ipsec_ply filterlist=allow_pt filteraction=allow psk="(@=P#$bV4$"
'%WINDIR%\syswow64\netsh.exe' ipsec static set policy name=ipsec_ply assign=y
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\IIS\1.BAT" "
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\IIS\qdx.bat" "
'%WINDIR%\syswow64\schtasks.exe' /create /TN "\Microsoft\Windows\UPnP\Services" /RU SYSTEM /TR "%WINDIR%\IIS\CPUInfo.exe" /SC ONSTART
'%WINDIR%\syswow64\regedit.exe' /s iis.reg
'%WINDIR%\syswow64\cmd.exe' /c del "<Full path to file>"' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\end.bat" "' (with hidden window)
'%WINDIR%\syswow64\cmd.exe' /c ""%WINDIR%\IIS\qdx.bat" "' (with hidden window)